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ELECTRONIC PURCHASE OF GOODS OVER A COMMUNICATION NETWORK INCLUDING 
PHYSICAL DELIVERY WHILE SECURING PRIVATE AND PERSONAL INFORMATION. 

5 

BACKGROUND OF THE INVENTION 
The invention disclosed herein relates to transactions over a conununications network 
between first and second parties, including ordering of a good and/or delivery of the good 
and/or payment for the good > yhile secu ring private and p ersonal information specific to the 

10 first party or the network device used by the first party with respect to the second party and 
unauthorized parties, i.e., others who may or may not be parties to the transaction. Such 
information may include the first party's identity, financial information (where a purchase is 
involved) and address. The first party may be a consumer or retail customer and the second 
party may be a merchant or retailer. The good may be delivered to a physical address or 

15 electronic address designated by the first party or to a physical depot for pick-up by the first 
party, while providing complete anonymity of the first party with respect to the second party. 

"Communications ne twork " is meant in a broad sense, and may include any suitable 
technology for information transmission, including electrical, electromagnetic and optical 
technologies. Such a network may include a computer or computers associated with the first 

20 party, a computer or computers associated with the second party and/or a computer or 
computers associated with the network. Such a communications network may link 
computers, e.g., a LAN or WAN. Although the invention has particular application to an 
open network such as the Internet, it may also be used in other networks, internets and 
intranets. Therefore, while much of the following description makes specific reference to the 
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Internet, it is to be understood that there is no intention to limit application of the invention to 



invention is primarily directed to the ordering and/or purchase and physical delivery of goods 



5 purchase of goods that may be delivered electronically and to the purchase and delivery of 
services that result in a deliverable. 

The growth of electronic commerce (e-commerce) over the Internet has been 
explosive, and expectations are that such growth will continue. However, the Internet as an 
open network provides opportunities to legally and illegally collect and use vast amounts of 

10 information which people consider private and personal, and concerns over privacy, fraud 
and security online could inhibit the continued explosive growth of business-to-consumer 
electronic commerce. Currently, shopping, browsing or other information-sharing activities 
on the Internet exposes users to unwanted collection of their private and personal 
information, from which their identities, activities, behaviors and preferences can be 

15 ascertained. Many people are fearful that someone may be watching their every move when 
they interact on the Internet, and that somehow information collected by such persons will be 
used to their disadvantage, from outright theft using credit card information to unwanted 
intrusions from marketers in the form of "spam" email, and other intrusive activities. (See, 
e.g., 1999 National Consumer League: Consumers and the 21^^ Century^ New York: Louis 

20 Harris & Associates, Inc., 1999). 

In fact, information on the Internet is currently being captured from mouse clicks 
made on a Web browser by a user^ and from information transmitted by a user to a Web site. 



the Internet and that the invention has application to any suitable network. Further, while the 



from retailers selling electronically over a network, it also applies to the ordering and/or . 
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This information can be processed, for example, to electronically profile users, and used or 
sold, depending upon the data collector's privacy policy. Internet users are becoming aware 
of the relative ease with which parties may obtain their private and personal information and 
are concerned about the gathering of such information and the potential for its distribution. 
They are also concerned about interception of credit card numbers and other financially 
related data. 

As a result, many people, fearful of providing their private and personal information, 
restricting their use of the World Wide Web. This may be manifested by potential users 
Idomly accessing the Internet, by users cautiously not submitting or clicking anything of a 
10 private or personal nature, and by users not entering into e-commerce transactions, any of 
which of course inhibits e-comnierce and development of the full potential of the e- 
commerce marketplace. 

Since most business-to-consumer transactions conducted over the Internet involve the 
use of credit or debit cards, and consumers are protected by the legal limits on liability for the 
15 unauthorized use by third parties of their cards, the parties most concerned about security and 
fraud prevention have naturally been the banks, credit card companies and merchants which 
must bear the cost of fraudulent transactions for which their card holders are not legally 
liable. Encryption of credit card and other data transmitted over the Internet helps banks and 
credit card companies protect against unauthorized use of credit cards. 
20 Nonetheless, despite the limitations on their legal liability described above, a great 

number of consumers remain hesitant about electronic commerce. Their concerns include 
questions about whether the merchants doing business m electronic commerce actually exist 

3 
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outside of "cyberspace," whether they will misuse credit card, private and personal 
information provided to them, whether they will correctly and honestly fulfill orders, honor 
product warranties and retum-for-credit guarantees, and the like. (See G. Gray and R. 
Debreceny, The Electronic Frontier, 185 Joumal of Accountancy 32-37, May 1998.) 

5 To complete an electronic transaction in current and emerging e-commerce, one or 

more of the parties to the transaction must pass private and/or personal information to 
another party. For example, in the transaction represented in Fig. 1, a first party custorner 
(consumer) submits an order for a good in step 1.1 to a second party merchant (retailer) using 
a WWW form. The second party merchant in step 1 .2 requests credit authorization for the 

10 transaction with a respective credit card clearing entity. Upon authorization of the 

transaction by the credit card clearing entity (step 3), the merchant confirms the transaction 
with the customer (step 1 .4) and then provides for transfer of the good to a shipper (step 1 .5) 
who delivers it to the customer (step 1.6). These different steps involve transfer of private 
and/or personal information among ttie parties. The customer provides credit card 

15 information and a shipping address to the merchant. The merchant passes the credit card 
information and the sum of the transaction to the credit card clearing entity. The merchant 
may also pass identification of the purchased good or service to the credit card clearing 
entity, at least in cases where the credit card clearing entity provides or extends product 
warranties or another service which require an identification of the good. The merchant 

20 provides for transfer of the good to a first party's shipping address usually in the name of the 
first party which are both provided to the shipper. 

4 
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Additionally, underlying communication protocols and systems may provide 
additional private and/or personal information. The customer's computer has an identifying 
IP address used to route data packets to the merchant computers or servers. This IP address 
is often monitored by unknown parties and merchant systems, and incorporated in databases 
5 to enable the merchant and others to identify the customer as soon as the customer accesses 
services in the future. Over time, merchants (and others) collect such private information and 
share it with various entities compromising consumer privacy. 

These databases are provided or bought and sold among organizations and companies 
who may then correlate this information along with other information producing larger 
10 databases that store very detailed history of the user's activities and behaviors, often without 
user's being aware of this activity. Users' histories are thus correlated over time often using 
their transactions that are linked to their true identity. 

Tools have been developed to address privacy and security concerns of Internet users. 
(See, for example, the February, 1999 issue of Communications of the ACM, Vol. 42. No. 2.) 
15 One approach developed to help protect the identity of Internet users which allows them to 
surf the Web anonymously utilizes anonymizing agents, which prevent a user's IP address 
from reaching a Web site. This approach requires that the users trust the anonymizing agent. 
Some of these tools enable Internet users to insert pseudonyms into Web forms, so that users 
can anonymously return to the same site as the same user. Different pseudonyms can be 
20 provided for different Web sites. Examples of anonymizing (and pseudonym) agents 

include: "The Anonymizer" (www.anonymizencom); "Lucent Personalized Web Assistant" 
(LPWA) (www.belHabs.com/project/lwpa); Novell Directory Services (NDS) "digitalme"; 
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Zero Knowledge System's "Freedom" (www.zeroknowledge.com); PrivaSeek^s 
"PersonaXpress" (www.privaseek.com and www.personaxpress.com). 

Another approach, which does not require an anonymizing agent, randomly routes 
requests to a Web site through numerous users without shielding the IP address of any of the 
5 users so that neither the destination Web site nor any user (or intermediate node) through 
which the request was routed can determine the IP address of the originating user. Examples 
of tools which provide anonymity in this way include: "Crowds" 

(www.research.att.com/projects/crowds); and "Onion Routing" (www.onion-router.net). 

In addition, a privacy seal program has been instituted by a non-profit organization, 

10 TRUSTe. Display of the TRUSTe "trustmark" by member Web sites requires that they 
adhere to established privacy principles and agree to comply with ongoing TRUSTe 
oversight and consumer resolution procedures, including: adoption and implementation of a 
privacy policy that takes into account consumer anxiety over sharing personal information 
online; notice and disclosure of the Web site's information eollectipn and use practices; and 

15 the oppiortunity for users to exercise control over their information. 

European Patent Application Publication BP 0 855 659 Al of Lucent Technologies 
Inc. describes a proxy system that allows anonymous browsing on the Internet. The proxy 
system substitutes identifiers in browsing commands received frqm a user which would 
identify the user, and filters other information (e.g., HTTP Header fields) associated with 

20 browsing commands that would allow server sites to detennine the true identity of users. 
The substitute identifiers are site specific, and are consistently used so that a server site 
recognizes a returning user and may provide personalized service, and so that the proxy 
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system is transparent to server sites. The proxy system may perform all functions within a 
central proxy system, or some functions in a peripheral proxy system (e.g., at a user site) and 
some in a central proxy system. The proxy system may provide its own credit card number 
or an alias credit card number to a requesting site and collect money from its users. 
5 U.S. Patent No. 5,794,22 1 discloses an Internet billing method in which an ISP 

through agreement with customers and vendors pays vendors and collects from customers for 
products and services purchased by the customer over the Internet without the need for the 
customer to transmit credit information to the vendor. While the method improves security 
of the financial aspect of a transaction, the customer browses in the usual way and the 
10 method does not provide for customer anonymity. 

Examples of systems and methods for anonymous and/or secure Internet 
communications and transactions are disclosed in U.S. Patent Nos. 5,420,926, 5,557,518, 
5,729,594 and 5,815,665, Japanese Patent Application Publication 10-320646 dated April 12, 
1 998, and WIPO International Publication No. WO 97/266 1 2. 
15 As shown in Fig. 1 and discussed above, purchase of a good over the Internet requires 

delivery of the good, which in turn requires a posted address. Postal addresses today are 
maintained on numerous databases, many of which are available from a number of 
commercial sources. Address matching software is likewise commercially available. Hence, a 
first party's postal address can be sufficiently revealing of personal identity that without some 
20 means of hiding address information from a second party, any effort by a first party to remain 
anonymous or unknown to the second party cannot be guaranteed. Although this problem 
has been recognized, to the knowledge of the inventors it has not been addressed, and there is 
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no e-commerce system which allows a first party to electronically purchase a good from a 
second party while not only securing the identity of the first party, but also the first party's 
postal address. The use of post office boxes, discussed below, is an improvement, but not a 
solution. 

As represented in Fig. 2, shipping involves at least three participating entities: a 
sender —an entity that wishes to deliver a good, who can be a merchant, vendor, retailer or 
provider of the good; a recipient — a target entity to receive the good— who can be a 
customer or purchaser or orderer of the good; and a shipper — an entity that transports the 
good from the sender to the recipient. In a typical Internet transaction involving shipping, 
the sender provides identification of the recipient and the recipient's address to the shipper in 
order for the shipper to deliver the good to the recipient. The recipient inust initially provide 
data on his, her or its identity and address to the sender or the shipper or both. This data may 
be collected, analyzed and correlated with other data to compromise the privacy of the 
recipient. 

The need for private shipping has been known for a long time and is currently 
addressed through the use of a post-office box (POB), or its variants. A recipient can use a 
POB to hide his, her or its identity from a sender. A recipient must however disclose his, her 
or its identity to the POB operator (e.g., the post-office (shipper), or private operators) — ^ 
which functions as a trusted entity— once, and then uses the POB to protect the recipient's 
identity from the sender. 

There are several drawbacks to the use of POB techniques in providing privacy-protected 
shipping for electronic commerce. 

8 
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Pre-arranged relationship: a POB requires the recipient to first arrange for a mailbox 
with the POB provider. This restrictive requirement discourages use by persons or 
entities who occasionally desire privacy. POB is typically used for other reasons and 
for mass market privacy-protected distribution applications. 

Pre-allocated space: the provider of a POB service pre-allocates storage space for the 
mailbox owner and charges each mailbox owner a storage fee. This restrictive 
requirement also discourages use by persons or entities who occasionally want 
privacy. 

Inability to handle returns: a POB provides one-way privacy protection. If the 
recipient wishes to return the good in a verifiable way, the recipient must disclose his, 
her or its identity and association with the POB. 

Non-provabilitv of delivery: in a dispute concerning a lost package, the shipper 
cannot prove that a package was actually delivered to the recipient. 

5 Coordinated comprehensive privacy protection: shipping is only part of a commerce 
transaction through which a purchaser exchanges information with a vendor to 
ZO purchase and obtain the good. To protect privacy, one needs to assure that no private 

data is transmitted through the entire transaction. POB shipping does not 
accommodate simple or obvious mechanisms that may be coordinated widi other 
elements of the transaction to assure privacy. 

25 6. Sinple-failurp cnmpromisabilitv: the privacy of ia POB ovmer can be compromised 

through a single incident of correlating the identity of the owner with the mailbox 
number. 

There is thus a need to protect private and personal information, particularly of first party 
30 users (purchasers, consumers, etc.) and provide security in e-conmierce transactions, 
particularly where delivery and/or purchase of a good is involved. 

OBJECTS AND SUMMARY OF THE INVENTION 
^ It is an object of the invention to provide communication over a communications 
network, particularly an open network, with improved privacy protection for users of the 
35 network. 
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■ It is another object of the invention to reduce the unwanted collection and/or 

dissemination of information related to users of a communications network, particularly an 
open communications network. 

It is another object of the invention to provide for the electronic order or purchase of a 
5 good over a communications network by a first party from a second party while securing the 
private and personal information of the first party with respect to the second party and 
unauthorized parties, i.e., others who may or many not be parties to the transaction. It is 
another object to provide for the delivery of the good while securing the private and personal 
information of the first party with respect to second party and unauthorized parties. It is 
10 another object to provide for return of the good while securing the private and personal 

information of the first party with respect to the second party and unauthorized parties. It is 
another object to provide for payment of the good while securing the private and personal 
information of the first party with respect to the second party and unauthorized parties. It is 
another object to also provide for electronic tracking of delivery while securing the first 
15 party's private and personal information from unauthorized parties. 

It is another object of the invention to reduce fraudulent purchases in e-commerce 
transactions which use a communications network. 

It is another object of the invention to provide for the credit processing aspects of an 
e-commerce transaction conducted over a communications network while securing private 
20 and personal information of the purchaser with respect to unauthorized parties (e.g., identity, 
address and bank and credit account information, etc.). 



10 
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It is another object of the invention to provide for shipping of a good ordered 
electronically over a communications network to the party that ordered the good while 
securing private and personal information of the party that ordered the good with respect to 
unauthorized parties. 

5 It is another object of the invention to share information relating to electronic 

purchases of goods by purchasers from vendors, retailers or merchants and provide a 
database for the purpose of determining the performance of the vendors, retailers and 
vendors. 

It is another object of the invention to gather information about electronic transactions 
10 and purchases that does not include private and personal information of purchasers, but 
includes other information about the transaction, including information about the good, its 
price, and the identity of the electronic vendor. It is another object to provide a database 
which stores such information such that purchasers are anonymous in the database. 

It is another object of the invention to provide a system and software for the electronic 
15 purchase of a good over a communications network which secures private and personal 

information of the purchaser with respect to unauthorized parties, and provides for electronic 
payment to the electronic vendor without an operator or provider of the system and/or 
software being liable to the merchant for payment on behalf of the purchaser. It is another 
object of the invention to provide the operator or provider a fee for this service. 
20 It is another object of the invention to provide such a system and software for the 

electronic purchase of a good over a communications network which can be selectively 
configured to provide certain transaction information to parties of the transaction while 

11 
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securing the first party's private and personal information with respect to the second party 
and unauthorized parties. 

It is another object of the invention to provide improved filtering of information from 
network users (e.g., first party purchasers, etc.) to prevent others on a network from obtaiining 
5 private and personal information of users. 

It is another object of the invention to protect private and personal information of 
network users making electronic purchases over a net^york while providing flexibility to 
accommodate multiple users per network device and per bank or credit card account. 

It is another object of the invention to protect private and personal information of 
10 network users making electronic purchases over a network while providing flexibility to 

accommodate one, or more than one, bank or credit card entity, and to permit such flexibility 
on a per user or per transaction basis. 

Unless otherwise indicated expressly or by context, "good" encompasses a 
deliverable, including a physical good, an electronic or virtual good and a service which 
15 provides a physical, electronic or virtual deliverable. The terms "user", "purchaser", 

"customer", "consumer", "recipient" and "orderer" are used interchangeably unless indicated 
otherwise expressly or by context, and are encompassed by the term "first party" (to an 
electronic transaction). Similarly, the terms "vendor", "retailer", "merchant" or "provider" 
or "sender" of a good, are used interchguigeably unless indicated otherwise expressly or by 
20 context, and are encompassed by the term "second party" (to the electronic transaction). 

Securing information of a private or personal nature of a first party or specific to a 
first party and/or the device or computer used by the first party means preventing other 

12 
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parties (who may or may not be parties to a transaction or communication involving the first 
party), typically at least the second party, from obtaining such information as may be 
generated, transmitted, stored or collected in a transaction and from which another party may 
learn the private or personal information of the first party. Such private or personal 
5 information may include: an identity which may be a true physical and/or true electronic 
identity of the first party and/or a computer or device used by th^ first party; an address 
which may be a true physical and/or true electronic address of the first party or the computer 
or device used by the first party; and/or other information relating to the first party such as 
social security number, driver's license number and bank and/or credit account information. 
10 Such information may be derived from multiple collections stored and provided by multiple 
parties and shared, linked and/or nierged to reveal personal and private information and 
behavior of the user over time. 

The invention disclosed herein achieves the above and other objects, and provides for 
users of a communications network, such as the Internet, to conununicate, and/or order, 
15 and/or obtain and/or receive, and/or purchase and/or charge or electronically pay for 
deliverables using the network, while securing such information of a private or personal 
nature of the users with respect to unauthorized parties, and providing improved protection 
against fraud. In accordance with the invention, communications and/or a transaction can be 
carried out between a user or first party, typically a consumer, or a prospective or actual 
20 purchaser or customer, and a second party, typically a merchant, retailer or vendor, over a 
communications network linking the first and second parties, in which information is 
provided and/or a good is ordered, and/or purchased and/or paid for and/or delivered, while 

13 
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securing such information of the first party with respect at least to the second party. The 
invention provides methods, systems and software for doing this and other things. 

The terms "provides for" and "providing for" are meant in a broad sense, and 
encompass a party or device directly or indirectly, alone or with or through one or more other 
5 parties or devices, effecting the specified action(s), function(s), task(s), etc. 

Depending upon the embodiment and the communications network, the parties may 
use computers or other devices to communicate and provide for payment and physical or 
electronic delivery. (The term "computer" is also used in a broad sense, and includes devices 
which operate or include a component that operates in accordance with a stored set of 

10 instructions, including PCs, microcomputers, microcontrollers. A hard-wired device such as 
a gate array though not technically a computer may be considered to be a computer or the 
equivalent of a computer as that term is used herein depending upon the function(s) 
performed by the hard-wired device. For ease of description and claiming, "computer" 
should be interpreted to include such other devices and instruments and such hard-wired 

15 devices.) 

In accordance with the invention, delivery of a physical good may be made to a 
physical address of a physical facility designated by the first party which may be a depot for 
pick-up anonymously by or on behalf of first party, or a second or last address while securing 
private information of the first party at least with respect to the second party. The first party 
20 may designate any appropriate physical address (e.g., residence or business), including an 
address related to another party, e.g., a friend or a party to whom the good is delivered as a 
gift. In accordance with the invention, an electronic good may be delivered to an electronic 

14 
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address designated by the first party while securing the private and personal information of 
the first party with respect to other parties. 

In one embodiment, a user or first party may communicate over the network vvith a 
second party, using a proxy. The proxy may provide a different identity for a user for a set of 
5 communications (e.g., browsing) or for each transaction. Thus, the user has a different 

identity each time it establishes communication with a second party or for each transaction. 
For example, the proxy may use a unique session number (#F) generated by the proxy for 
each transaction to provide a unique alphanumeric name that is supplied to the second party 
vendors- In a sense, the proxy party is anonymized or privatized vis a vis the second party, 
10 Also, vendors will not be able to compile any use history on any user since new or unique 
proxy identities generated automatically cannot be linked with other transactions over time. 

Alternatively, the proxy may provide the same identity for a user for all 
communications and transactions. In this embodiment, the proxy can provide a user name 
which is a function of a unique name or proxy identifier (I) of each user and the proxy's 
15 identity (public identity) (P) for each transaction. This user name is the same for each user 
for all transactions and communications for all vendors. This, a user history may be 
compiled by vendors and others for a user who is anonymous to them. 

The proxy may also alter information from the first party directed to the network or 
the second party so that the second party can not ascertain the first party's private and 
20 personal information. The proxy may also provide for payment and/or delivery of an ordered 
identity. The proxy may or may not know the true identity of the first party, or any private or 
personal information of the first party. 



15 
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The proxy provided by the embodiments of the invention described immediately 
above differ from the proxy system disclosed in the European patent application of Lucent 
referenced above (EP 0 855 651 Al) because in one case the identity of the user changes with 
each transaction or browsing or shopping session so that each transaction appears to involve 
5 a different party without a repeat transaction from any party, and in another case the identity 
of a particular user is the same for all transactions (browsing, shopping, etc.) with all 
vendors, while in the published Lucent European patent application the identity of a 
particular user with a particular Web site is the same for all communications and transactions 
with that Web site and different for other Web sites. 

10 In another embodiment a proxy is not required, unlike the proxy system disclosed in 

the referenced Lucent European patent publication. In this embodiment, the user (first party) 
is provided a transacting (or communicating) identity not the true identity of the user, which 
is revealed to the second party but from which the second party (and unauthorized parties) 
can not ascertain private or personal information of the first party. Second parties and others 

1 5 can not link the true identity or other private or personal information to the first party (or the 
first party's equipment) with the transacting identity. Thus, all communications from the 
first party appear to others to be from a party vnth an identity of the transacting identifier. 
Only the party providing the first party with the transacting identity can link the true identity 
of the first party with the transacting identity. Where a purchase is involved, the bank or 

20 credit clearing entity stores information linking the true identity of the user and the 

transacting identity. This embodiment may also provide for altering information from the 
first party directed to the network or the second party to prevent the second party fi^om 
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ascertaining the first party's private and personal information. The bank or credit card 
clearing entity generates these transacting identities for all customers who use the inventive 
system and method, and provides a database linking the transacting and true identities. When 
a retailer provides the bank or credit card clearing entity with a transacting identity, they link 
5 to the true identity to process the transaction. For an Internet application, users may also use 
the transacting identity to browse, subscribe to an ISP and/or to obtain telephone service for 
accessing the Internet. Thus, only the bank or credit card clearing entity will know the true 
identity of the user. In this embodiment, the bank or credit card company performs some of 
the functions of the proxy described in other embodiments. 
10 In the embodiment which does not require a proxy, a proxy may be provided for the 

purpose of collecting and storing transaction information for safe keeping and possible later 
use, e.g., in the case of non-receipt or retum of an ordered good, or a dispute on payment or 
price, etc. The proxy may expire identifiers and/or user names similar to the manner in 
which credit card company's expire credit cards. This will terminate the history that a vendor 
15 has with a particular user and prevent vendors firom maintaining long term preferences for 
any user. The expiration cycle for the identifiers and user names may be linked to (e.g., the 
same as) the expiration date of a user's credit card. Expiring identifiers and user names on 
the same cycle as user credit card numbers, or more frequently such as after each transaction 
may be also used as a fraud prevention measure. 
20 In the preferred embodiments, a first party, having information of a personal or 

private nature specific to the first party or a first device used by the first party, orders a good 
from a second party over a communications network. A delivery address to which the good 
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can be delivered is provided over the network to the second party while securing said 
information of the first party with respect to the second party. Information from the first 
party directed to the second party for communicating with the second party or to order a good 
is provided while securing said information of the first party as indicated above. 
5 The first and second parties communicate with each other over the network using 

devices or computers, e.g., PCs. In the embodiment which uses a proxy, the proxy may be 
or utilize a proxy device, typically a computer or computers, and/or proxy software 
associated with a user device typically a computer (PC) and/or a proxy device, typically a 
computer server. 

10 Proxy software includes software executed by devices or computers used by the first 

parties and/or software executed by one or more proxy devices or computers. A proxy 
system includes the proxy software, one or more devices or computers, for executing the 
proxy software, and may include other elements as disclosed herein. "Prpxy software" and 
"proxy system" sometimes overlap and are sometimes used interchangeably as the context 
15 will indicate. Preferably, information fi-om the first party directed to the second party or the 
network is altered using software associated with a first device used by the first party or a 
proxy device, or both. In this embodiment, this software provides the delivery address to the 
second party. The proxy software may be executed by a central proxy device to provide the 
delivery address to the second party fi-om stored information. In the embodiment that does 
20 not require a proxy, the delivery address is provided by the first party device. 

As mentioned, the good may be a physical good and the delivery address is a physical 
address of a physical facility, where the good is physically delivered. The delivery address 
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may be that of a depot, where the good may be made available for pick up by or on behalf of 
the first party in a manner which does not require said information of the first party to be 
revealed at the physical facility. Alternatively, delivery to a physical address, which may not 
secure said information of the first party, designated by the first party may be provided for by 

5 delivering first to a first physical address (e.g., a depot), without revealing the private and 
personal information of the first party to the second party and unauthorized parties, and then 
trans-shipping to a second or last physical address designated by the first party but not 
revealed to the second party. The first physical address, given to the second party, does not 
reveal the private and personal information of the first party. Although the second physical 

10 address may reveal such information, it is made known at the first physical address and not 
given to the second party. Alternatively, the delivery address may be a proxy address that 
does not reveal the true physical address of the first party and that may be converted or 
mapped by a shipper to the true physical address to which the good is to be delivered as 
designated by the first party. Shipment to the first delivery address may be referred to as a 

1 5 "first hop" shipment, and shipment to the second physical address designated by the first 
party may be referred to as a "second hop" or "last hop" shipment. 



electronic address of a proxy, or an electronic address of a first party having a transacting 
identity that does not reveal said private and personal information of the first party. In either 
20 case, electronic delivery to the respective electronic address does not reveal said information. 
The file is electronically transmitted to the proxy or the first party. If the file is electronically 
transmitted to the proxy, the file is then transmitted to an electronic address of the first party. 



The good may also be an electronically transmittable file and the delivery address an 
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which may not secure said information of the first party, and which is available to the proxy, 
but not to the second party. If transmitted to the first party, the electronic address is a 
transacting address which does not reveal the private or personal information of the first 
party, as discussed above with respect to a transacting identity. 
5 Provision may be made, with or without a delivery provision, for approval or 

disapproval of a purchase of a good by a first party from a second party based on financial 
information relating to the first party, and if the purchase is approved, provision may be 
made for payment to the second party while securing said information of the first party with 
respect to the second party. Information from the first party directed to the network or the 
10 second party is secured as described above. 

Approval or disapproval may comprise another party providing for approval or 
disapproval of the purchase based on financial information relating to the first party, and 
payment (e.g., crediting an account) may be provided to the second party, if the purchase is 
approved, by other party who also provides for debiting the first party. The pther party may 
15 be a third party who approves or disapproves of the purchase based on financial information 
relating to the first party, and who also pays (credits) the second party and debits the first 
party if the purchase is approved. 

The other party may arrange with at least a third party to provide for approval or 
disapproval of the purchase based on the financial information relating to the first party, and 
20 if approved the other party arranging with at least the third party to provide for payment to 
the second party and debiting of the first party. 
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In the embodiments described herein, the other party may be the proxy, or a bank or 
credit clearing entity. In the proxy embodiment, the other party may be a proxy party and 
may use proxy software associated with the first party's first device or a proxy device, or 
both, to provide for payment to the.second party and debiting of the first party. The proxy 
5 can do this directly, or through at least one third party. 

Approval or disapproval by a third party may be provided using a third device 
communicating with the proxy software which also provides for crediting the second party 
and debiting the first party if the purchase is approved. 



10 transacting identity may be a bank or credit card company \vhich may also provide the fir3t 
user with an account which also can not be linked to the true identity of the first party. A 



bank or credit card company, which has a database linking tme identities and true accounts to 
the transacting identities and accounts. The bank or credit card cornpany credits the 
15 merchant and debits the true account of the transacting first party. In this embodiment, the 
first party provides a delivery address to the second party, and delivery is otherwise treated as 
described above. 

The invention is applicable to payment via a credit card or other means, e.g., e-cash or 
other component of an electronic wallet. A transaction fee or service charge may be levied 
20 for the transaction, similar to the fee levied in a credit card transaction. Part of the fee may 
be paid to a proxy operating or otherwise associated with use of the invention or a proxy 
system, etc. Netting and settling among the first, second, proxy and other parties involves 



In the embodiment that does not require use of a proxy, the party providing the 



second party merchant simply forwards the transacting identity and account number to the 
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crediting and debiting various accounts for the purchase price of the good and ail or parts of 
the service charge. The fee may alternatively be a subscription or sign-up fee which enables 
a party to participate in purchases. The fee may be periodic and fixed for each period, or 
based on the volume or dollar amount of purchases, etc. 
5 In one embodiment, a third party approves the credit of the first party purchaser, 

credits the second party vendor and debits the first party purchaser. In this embodiment, the 
proxy may or may not have an account with the third party, and the proxy need not be 
actively involved in credit approval and need not be financially responsible for payment to 
the second party and collection from the first party. 

10 two parties in addition to a proxy party are invoW^^ 

approval and payment processes. For example, a third party approves the credit of a first 
party and electronically credits a proxy party and electronically debits the first party, and a 
fourth party approves credit of the proxy party and electronically debits the proxy party and 
electronically credits the second party. Here the fourth party approves or disapproves the 
15 transaction based on the proxy party's account with the fourth party, and the proxy party 
undertakes financial responsibility. Alternatively, the proxy party's participation (and 
financial liability) in settling the transactions may be eliminated, and the third party debits 
the first party and credits the fourth party, who debits the third party and credits the second 
party. The approvals in this variation are as follows. The third party approves the credit of 
20 the first party and the fourth party approves the credit of the third party. In this embodiment, 
as above, the accounts can be credit card accounts, and also a fee is paid to the proxy party, 
which can come from both the third party and the fourth party. 
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In one embodiment, a system implementing the invention described above may be 
configurable, e.g., on a user or other party basis or on a transaction basis, for operation using 
a third party, or a third party and a fourth party in addition to the proxy party for the financial 
procedures described above. In still another embodiment, systems implementing the 
invention described above may be configurable for operation with various parties having 
access to or being provided with various information, with the exception that the first party's 
private information remains secured with respect to the second party. 

As pointed out above, the first party's private information is withheld from the second 
party and from any unauthorized party, but may be provided to authorized parties. For 
example, depending upon the embodiment, the first party's credit card company (a third or 
fourth party) could be provided with price information only, with price and good information 
only, or with price, good and second party vendor information. A shipper making a last hop 
delivery of a good to a first party would of course know the delivery address and perhaps the 
identity of the first party. The identities of the good and the second party where these appear 
on the outside of a package containing the good or in a shipping record may also be known to 
the shipper. However, in those cases, which are expected to be minimal, the shipped good 
can be repackaged or wrapped, or the last hop delivery may be made by a shipper who is 
authorized by proxy software or is part of the proxy system. 

The first party's identity and credit card number are not transmitted between parties, 
and therefore such information is protected and not available to unauthorized parties as part 
of the transaction. In the proxy embodiment, the first party's account information is not 
transmitted to the proxy, and the proxy transmits proxy account information to the second 
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party, not first party account information. The proxy need not have the true account 
information of the first party, but identifying information by which a third party can link to 
the first party's account. In the embodiment that does not require a proxy, a transacting 
account, not a true account is transmitted to the second party. 
5 Thus, the invention allows private and personal information to be withheld from the 

second party, iand allows the first party to communicate with the second party via the 
communications network without revealing the user's identity and location or address. This 
provides complete anonymity to the first party v/j a v« the second party. With specific 
respect to the Internet, given the existing capability in the communication, transaction 
10 processing and credit processing chains for accumulating and distributing information 

relating to an Internet user's identity, preferences, etc., the complete anonymity that use of the 
invention provides to Internet users should allay their fear of conducting e-commerce over 
the Internet, or any open computer network. Further, authorized parties who use the 
invention, for example credit card companies and banks, will have a powerful tool to expand 
15 use of their credit cards and to attract new members, and prevent fiaudulent use. 

In the preferred embodiment, the invention is implemented on the Internet (although 
the invention is not so limited), and comprises information-processing modules (hardware, 
and software) which pemiit Internet users (first parties) to browse and search the Internet 
anonymously, order or purchase goods from second parties online anonymously, and have 
20 them delivered anonymously (at least with respect to the second parties providing the goods) 
to their homes or offices or other designated address, or to a depot for pick-up by the user. 
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The user's anonymity is preserved as against (i) proprietors of the Web sites that the 
user may visit, (ii) the online second party vendors from whom the user orders or purchases 
goods, and (iii) shippers except for the last-hop shipper that delivers a good to an address 
designated by the user. Although in the proxy embodiment the user's identity may be known 

5 to the ISP, the browsing behavior, the items purchased, the identity of the vendor, and the 
user's financial information are secured or withheld from the ISP. The user's credit card 
issuer or company (a third or fourth party) is notified that that the user wishes to make a 
purchase for a given sum, and information necessary for authorization of the purchase is 
provided in a way which prevents fraud and protects the user's credit card information as 

10 well. Information about what the user has bought (or ordered if a purchase is not involved), 
and where that purchase is ultimately being shipped can be withheld from the credit card 
company as well as from other parties in the chain of commerce^ except for the last-hop 
shipper who delivers to the address designated by the user. Measures discussed herein may 
also be taken to limit the information available to the last hop shipper. In cases where the 

15 credit card company has a need for information identifying the good or service purchased, as 
for example where the credit card company provides or extends a warranty, or provides a 
promotion, etc., such information will be supplied to the credit card company. Special 
arrangements may also be made so that this information is routinely given to the credit card 
company. The transaction database, or a similar database may also be used to measure 

20 vendor performance by logging data such as returns, complaints, delivery times, damaged 
goods, etc. Thus, the invention acts as an information buffer between the user and the 
Internet and/or certain parties in the transaction. 
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In processing transactions, a proxy transaction database may be provided in 
accordance with the invention to store information generated in the transactions. In an 
embodiment having a proxy system, the proxy transaction database indexes and links the 
second party vendor supplied confirmation, order or purchase information, with a unique 
5 session or transaction identifier (#F) generated by the proxy system for each transaction. The 
unique session number may be used as an index to the transaction to rpyte messfages from 
second partyjvendor computers to the respective first party computer involved in the 
transaction represented by the unique session number. This linkage also allows the proxy 
system to route shipped goods to the user's address if so requested by the user, and to enable 
10 return of the goods to the vendor. 

The proxy transaction database or another secured address mapping (SAM) database 
(which may be part of or separate from the proxy transaction database) may be used to link 
user's and their addresses. Second party vendors typically include identifying information on 
shipping labels with sufficient detail to uniquely identify purchase or order information 
15 received from customers. This information is linked with the unique session or transaction 
identifier created by the proxy computer software working in conjunction with the user proxy 
software. Optionally, the proxy computer software may transmit to second party vendors 
sufficient identity information that includes the unique session identifier #F. For example, 
the NAME field, or some other field, of the second party vendor's form-based web page may 
20 be an automatically generated symbol including as a portion the unique session identifier #F 
or a number from which #F may be determined. Automated readers of shipping labels would 
therefore read the unique session identifier #F to allow for automated lookup of tiie user's 
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actual shipping address where the good is to ]be delivered directly to a user designated 
address. 

The unique shopping session number (#F) may be a tracking number and/or linked to 
a tracking number used to track physical delivery through a shipper's existing tracking 
5 system. Alternatively, a tracking number may be stored in the SAM database and/or provided 
to the first party to track the delivery without disclosing the tracking number to the second 
party. 

Third and other parties may also provide transaction databases to store transaction 
information that they are provided with or generate. 

10 As pointed out above, first party private arid personal information is secured at least 

with respect to second parties. While credit card companies received all of the transactional 
information when the first party customers dealt direct with second party vendors, use of the 
invention can result in the credit card companies receiving only that transactional information 
that is necessary to perform the credit function. In accordance with an aspect of the 

15 invention, information in the proxy database containing private and personal information of 
first.parties can selectively be made available to parties other than the second party such as 
. credit card companies. As mention above, the proxy need not know the true identity of the 
first party or any private or personal information of the first party. Regardless, a proxy 
database can be provided which does not contain any private or personal information of first 

20 parties, and such information made available to any other party. Optionally, the proxy party 
can be compensated or otherwise rewarded for supplying such information. Stated another 
way, access by banks and credit card companies to transaction information they previously 
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received can be selectively restricted by the invention. 

One way that the invention implements selective passing of transaction information is 
for the proxy party to present itself as the vendor to the credit card company in place of the 
true vendor, and pay the vendor. In order to prevent the credit card Company or any other 
5 party from matching transactions to obtain certain transaction information, the invention 
provides for a proxy party to use the credit card of another credit card company for the 
transaction. 

In addition, rather than selectively supplying such information to credit card 
companies or other parties to the transaction (other than the second party vendors), proxy 

10 software can provide for passing selected information during the transaction, i.e., the 
software can be selectively cottfigured to pass selected information depending upon the 
relationships and arrangements the proxy party has with third and fourth parties and other 
parties to the transaction. Some non-private information can also be provided to second 
party vendors so that they can maintain an historical preference database. For example, a 

15 consistent user name may be provided for a particular user to a particular vendor. 

The invention provides for reconfiguration of the software on a party by party basis to 
achieve the above-described selectivity. 
Internet Embodiments 

In the preferred Internet embodiment, the invention utilizes a proxy and is 
20 implemented by proxy software executed on user or first party computers and on one or more 
proxy computers. The software may be provided to users by way of a download or 
preferably on a tangible medium like a CD-ROM. The software on the user's computer 
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operates in conjunction with the user computer's browser, such as Microsoft Internet 



Explorer ® or Netscape Navigator ®, either by a default or upon selection by the user. The 



proxy software on the user's computer and the proxy computer(s) cause all communications 
for second parties to be routed through a proxy computer. 



through the proxy system using a protected proxy identifier (I) or persona unique to the user 
and known only to the proxy system. A unique proxy identifier is assigned to each copy of 
user proxy software provided to a user. The relationship of the proxy identifier and the user 
is maintained secret by the proxy system. As mentioned above, the proxy system need not 
10 know the user's true identity. To reduce the risk of unintended disclosure of this relationship, 
the proxy identifier is withheld from the user so the user cannot link their tme identity with 
the proxy identifier. 

The proxy system can use the proxy identifier to automatically apply preferences to a 
transaction, such as shipping mode, delivery name and address (or depot pick up), etc. The 

15 proxy system may store in a secure way the user's credit card information linked with the 
user's proxy identifier, and charge the user's credit card for the purchase made by the proxy 
system on behalf of the user. Alternatively, the proxy may not have the user's true name and 
account information, and the user's bank (a third or fourth party) may link the user's account 
with the user's proxy identifier and either credit the proxy system operator (proxy party) for a 

20 purchase made on behalf of the user or eliminate the proxy party from the financial aspects of 
the transaction, i.e., provide for payment to a second party and debit a first party directly. 
Regardless of whether the proxy party is in the payment and responsibility chain, it may be 



5 



In the preferred Internet embodiment, all browsing by the user is done anonymously 
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paid a transaction fee for each transaction (or on some other basis). The user's bank provides 
for payment to the second party merchant of the purchase price less a service charge, and 
provides part of the service charge to the proxy party as the transaction fee. 

Typically, the proxy identifier identifies one user. However, sub-accounts may be set 
5 up for other users (e.g., family or business unit members authorized by the registered user) in 
a household or business unit who use the same computer and the same copy of the user proxy 
software. The sub-account may, for example, be identified by a field or fields in the proxy 
identifier, or in any suitable way. Alternatively, more than one registered copy of user proxy 
software by be stored on the same computer. 

10 In conjunction with the user's credit card issuing company or bank, the proxy system 

generates the unique proxy identifier I and provides it as part of the proxy software provided 
to a user, without disclosing the proxy identifier to the user. Each registered copy of user 
proxy software with its unique proxy identifier may be considered as a distinct plastic credit 
card. For security and fraud reduction, the proxy system can expire the user's proxy software 

15 and proxy identifier with the expiration of the user's credit card to which the user has 

authorized the proxy system to charge for purchases made on behalf of the user. Thereby, 
user proxy software and proxy identifiers will be on the same expiration cycle as the user's 
credit card. Similarly, a user's proxy software and proxy identifier can be made unauthorized 
(or expired) if a user's proxy identifier or proxy software is lost, stolen, corrupted, etc., or 
20 when the user's credit card is lost or stolen. Users can be supplied with a new copy of user 
proxy software (with a neW proxy identifier) whenever the user is provided with a new credit 



card. 
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Further, users may register multiple credit cards issued by multiple banks (third or 
fourth parties), but each would require the download of a unique copy of user proxy software 
with a unique proxy identifier. Alternatively, a single copy of the user proxy software can 
store multiple proxy identifiers, selectable by the user for his, her or its purchases, or a copy 
5 of the user proxy software can be provided with the same proxy identifier indexed into the 
same credit card account for multiple users of the same credit card account. This is akin to 
issuing additional credit cards on the same credit card account. A user may store his, her or 
its single "proxy credit card" on more than one computer, e.g., a palm top and a desktop PC. 

A user may provide the proxy system with more that one credit card number for each 
10 copy of the user proxy software, and designate credit card choice as part of the transaction or 
otherwise. 

The proxy system allows the user (first party) to be represented not as an individual 
transaction with a true identity, but rather as an anonymous transaction with a proxy 
identifier. For example, a user may allow someone else to make an e-commerce purchase 

15 with the user's proxy identifier, just like a person today may allow a spouse or child to make 
purchases on that person's credit card account. Use of the same proxy identifier by 
authorized persons is under the control of the user and the issuing bank (third or fourth 
party), and the tme identity of any of the users of the same proxy identifier (e.g., spouse, 
child) can be maintained by the user's bank. However, the true identity of the actual 

20 transactor is known only to the user when the user allows someone else to use the user's 
unique proxy identifier. The proxy system essentially provides an electronic means to 
transact exactly as it is now done with plastic credit cards, but without disclosing the tme 
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a 



name on the card. The proxy system may provide security against unauthorized use of s 
proxy identifier by requiring secret information such as a PIN or password or a biometric be 
used whenever anyone wants to transact using the proxy system. This provides a level of 
security above what is available today using credit cards. 
5 The proxy software alters a variety of information about the user and his, her or its 

location from the information transmitted from the user to a proxy computer, and provides 
information which enables a Web site to respond to that proxy computer, and that proxy 
computer route the information supplied by the Web server to the proper user. Although 
prior art filtering techniques may be used, the filtering described herein is preferred at least 
10 because it is more comprehensive. 

When a user wishes to purchase or order a good from an online second party vendor, 
the user simply follows the vendor site's usual procedures, selects the good to be ordered, 
enters purchase order information, etc.. which the proxy software analyzes and, alters where 
necessary. The user has the perception of placing the order directly with the online vendor. 
15 Alternatively, the proxy computer may substitute its own set of procedures for the vendor's 
procedures, and translate between the two sets of procedures while maintaining user 
anonymity. Alternatively, the user may supply proxy infonnation by clicking a menu of 
choices or dragging and dropping proxy information into the field's of the vendor's 
WebPages. 

20 The invention provides comprehensive multi-layer privacy protection, examining 

messages of user or client computers that are to be transmitted to server computers and 
messages received from server computers. At the network protocol layer (e.g., IP and fiiture 
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protocols), address information of the client computer is replaced with a proxy address. At 
the transport protocol layer (e.g., HTTP and future protocols), client computer information of 
a private nature is replaced with information that anonymizes the client computer. Unlike 
some approaches that only provide anonymizing of IP addresses, and other approaches, such 



Al), which filter HTTP headers, the invention goes further and provides for anpnymization 
at the application layer, capturing and replacing all accesses to client computer system 
information of a private nature, including cookies and other sources of information of a 
private nature, with information that anonymizes the client computer. 



procedures which collect data from a user's computer, or anonymization of the collected 
data. For example, the invention replaces compromising active code (e.g., Java applets and 
Active X) and/or XML forms . (XML is a new extension of HTML which allows services to 
send pages to users marked with tags that activate local information collection routines that 

15 can compromise user information.) 

^ In the proxy embodiment, a proxy computer provides the user's credit card company 
(bank) with the user's unique proxy identifier which the bank correlates with the user*s credit 
card account information, and authorizes or denies authorization for the purchase. In the 
embodiment in which a bank gives a user a transacting identity and account, the user's true 

20 credit card information is not known to the proxy and is not transmitted to or by the proxy. 
Thus, the user's true credit card information is not transmitted at all on the network. 
Information other than the purchase price may or may not be transmitted to the user's bank 



5 as disclosed in the European patent application of Lucent referenced above (EP 0 855 65 1 
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The invention also provides for replacement of compromising procedures, e.g, 
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depending upon the aixangemeht between the proxy system operator and the bank. For 
example, information about the vendor, the good(s) being purchased or the shipper may also 
be provided to the user's bank. 

The user's bank authorizes (or declines to authorize) the purchase, and conveys such 
5 information back to the requesting party . Assuming the purchase has been authorized, a 
proxy computer enters the order with the online vendor using the proxy system operator's 
name and the proxy system's account nuiiiber (thereby further masking the identity of the 
user). Thie proxy system may implement the credit function with a bank or banks in different 
ways. In one embodiment, a single bank is involved in a transaction, which authorizes a 
10 vendor to charge the proxy system operator's credit card account, and then nets the 

transaction by paying the vendor the price of the good less the transaction fee, charging the 
user's credit card the price of the good, crediting the proxy system operator's account, and 
paying the proxy system operator a percentage of the transaction fee (part of the service 
charge). Here, the bank may be provided with a description of the good, and of course has 
15 the identity of the vendor. Altiematively, the single bank can be provided with all details of 
the transaction aiid eliminate the proxy operator from the liability and netting chains,.except 
for the percentage of the bank fee. 

In another proxy embodiment, two banks are involved: one as the Credit card ^ 
company of the proxy system operator and the other as the credit card company of the user. 
20 Here, the vendor charges the purchase price to the proxy system operator's bank and the 
proxy system charges the purchase price to user's credit card, and netting provides the two 
banks and the proxy system with part ofthe bank fee. Depending upon the arrangement, 
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identification of the good may be withheld from both banks and the identity of the vendor 

may be withheld from the user's bank. 

In either embodiment, the proxy system provides shipping instructions to the second 

party vendor which do not include an address linked to the user. The proxy system may 

5 include one or more proxy shipping computers to perform certain shipping functions. (The 

other proxy computer(s) can be referred to as privacy protection computers to distinguish 

between them and the shipping computer(s).) 

In the embodiment that does not require a proxy, only a single bank or credit card 

entity need be involved. The first party user transmits the transacting identity and account to 

10 the second party vendor, who requests approval from the bank. In this embodiment, the first 

party user transmits shipping information directly to the second party vendor. The bank or a 

party acting on behalf of the bank may handle shipping (depot operation, label-switching, 

transshipping) as described for the proxy embodiment. 

As suggested above, e-commerce requires privacy-protected shipping techniques beyond 

15 the scope of POB-like mechanisms. The invention provides privacy-protected shipping 

techniques that offer the following features: 

1 . Two-wav Privacy : The recipient of a good ordered using the invention, i.e., a user 
of the proxy system, can not only have the good delivered, but can return the good as well, 
while assuring that his, her or its identity is disclosed only to the proxy party or a party 
20 authorized by the proxy party and remains completely anonymous with respect to any 

distrusted participant in the shipping chain (i.e., the second party vendor, and possibly the 
shipper, if the shipper is not authorized by the proxy party to receive private information. 
The second party cannot identify the recipient from any data available to it either for 
shipping or for returns). 
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2- Two-way verifiability: The second party vendor and shipper can verify with the 
proxy party or a party authorized by the proxy party without compromising privacy that the 
recipient received or returned the package in a manner that can allocate responsibility for 

5 loss. 

3- One-time transaction orivacv: Privacy is provided for each individual shipping 
transaction independently of other shipping transactions. In particular, it does not require 
long term per-recipient allocation of space or other resources; furthermore, should privacy be 

10 compromised by one transaction, it does not enable compromising additional transactions. 

4. Coordinated compreh ensive privacy-protection of e-commerce transactions: 

Shipping can be easily coordinated with shopping and purchasing to provide fully 
assured comprehensive privacy protection. 
15 - 

POB privacy-protection substantially fails to support any of these four features. The 
invention as it relates to the problem of privacy-protected shipping provides shipping 
technique^ that accomplish these four features. 

The invention provides two techniques to accomplish privacy-protected shipping: label- 

20 switching and one-time virtual mailbox agent (OVM), e.g., depot pick-up. Label-switching 
involves switching the labels on a package. Alternatively, label switching may be provided 
by using devices that scan computer.readable information or codes printed or otherwise 
placed on packages which may generate a new electronic label, e.g., by reading a remote 
database, and that display an address on a device without printing a physical paper-based 

25 label. The second party vendor provides the package with the ordered good for shipping 
labeled with a unique transaction identifier (e.g., #F) and the address of a label switching 
agent authorized by the proxy party to handle private information. The label-switching agent 
uses this transaction identifier to generate a label with the recipient's identity and address. A 
trans-shipper then delivers the relabeled package. In case of return, the authorized label- 
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switching agent reverses the process and relabels the package with the respective transaction 
identifier. Label-switching also applies to electronically delivered goods. Thus, for example, 
a file delivered to an electronic depot with the depot's electronic address may be 
retransmitted from the electronic depot with the user-designated electronic address. 
5 Label-switched shipping may include the following. A recipient concludes a transaction 
with a second party using the services of the proxy party. The proxy party generates the 
unique transaction identifier and provides it to the second party vendor and the recipient. 
The unique transaction identifier may be applied in machine readable form using any suitable 
technology, e.g., bar codes, glyphs, OCR, etc. The unique transaction identifier serves to 
10 hide the true identity of the recipient and indexes the transaction. The unique transaction 
identifier may therefore serve as a data key to the entire transaction and may be used to store 
and access transaction data such as recipient name, address, second party vendor, credit card 
information, good information, etc. The unique transaction identifier may be, or may be 
linked to, a tracking number. 
15 The proxy party provides the unique identifier and the respective recipient identity and 
shipping address to the label-switching agent authorized to handle private information. The 
package, labeled with the unique identifier is passed to the authorized label-switching agent 
where a new shipping label is generated with the unique transaction identifier and address of 
the recipient. The package is delivered via a shipper to the recipient. To handle a return, the 
20 authorized label-switching agent reverses the process, replacing the label with a unique 
transaction identifier and notifying the proxy party of the relabeled shipment. Multiple 
different media for communications and/or label switching may be used. 
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OVM Operates as follows. The second party vendor labels the package cpntaining the 
good with the unique transaction identifier as described above, and the address of an OVM 
depot, for example, OyM77432572980975, 10 Main Street, Any Town, USA 12345. The 
shipper delivers the package to the QVM depot at the address. The recipient claims the 
5 package by providing at least the unique transaction identifier (or some number or code from 
which the transaction identifier (#F) may be determined) on the package to the OVM depot. 
However, it is preferred that the recipient provide two pieces of identifying data. Other 
identifying data may be secret information such as a confidential code or a pass word or 
biometric known to the recipient and the OVM agent. 
10 The shipping instructions include the unique transaction identifier which is associated 

with the shipment so that the shipment can be identified for later trans-shipment to the user or 
for later depot pick-up by the user. The unique transaction identifier is such that the user's 
identity and address are not revealed to the second party vendor. In the case of depot pick- 
up, the OVM agent releases the shipment based on a presentation of the unique transaction 
• 15 identifier, and perhaps some other information which does not reveal the identity and address 
of the user to the shipper or depot. In the case of trans-shipment, the users name and address 
are associated with the package after delivery to a trans-shipment point (authorized label- 
switching agent) on the basis of the unique transaction identifier, and the good is delivered 
fi-om there directly to the user's address. While the trans-shipper may know the identity and 
20 address of the user, the trans-shipper does not know the contents of the package or the price 
of the good. However, the identity of the second party vendor and the good may be printed 
upon or otherwise evident from the package. In such cases, the package delivered to the 
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authorized label-switching agent may be repackaged, i.e., placed into another package or 
wrapped in some way. An OVM agent may also be required to repackage or wrap a package 
so that the clerk who hands the package over to the recipient can not associate the good with 
the appearance of the recipient. 
5 Thus, at each step of the transaction, the identity and other sensitive information about 

the user remain anonymous to the second party vendor, and no third party has all information 
identifying the user, the product, the second party vendor and the user's financial 
information. 

In the embodiment that does not require a proxy, the functions of the proxy relating to 
10 shipping, labeling, depot operation and trans-shipping may be handled by the bank or a party 
or parties authorized by the bank. 

In a preferred Internet embodiment, the proxy system includes or uses the following. 

1 , User proxv software : The user proxy software is stored on a user's PC or other 
device capable of accessing a network-based information systems or communications 

1 5 networks such as the IntemetAVorld Wide Web. Each copy of the user proxy software is ^ 
registered and is assigned a unique and secured proxy identifier (I). The proxy identifier is 
preferably withheld from the user to enhance security as indicated above. For example, the 
proxy identifier is embedded in the user proxy software so that a typical user can not access 
it. The user proxy software is "registered" with the proxy system operator which serves as a 

20 privacy protection agent. As described above, multiple related users of the same registered 
copy of user proxy software can be accommodated in one or more fields of the proxy 
identifier, or otherwise. Also, multiple copies for multiple users may reside on the same 
computer. The user proxy software can be distributed by the proxy system operator or a 
bank or credit card company affiliated with the proxy system operator, or the proxy system 

25 operator may be a bank or credit card company. 

2. Proxv computer software : Proxy computer software is stored on one or more 
proxy computers and identifies registered user proxy software, indexes or links to a user's 
bank account (or debit account, or electronic check account, or credit card account) or some 

30 other account used for transacting business or purchasing items. (This user financial 

information is not made available to the proxy system operator, who only has information to 
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index to the user financial information.) Proxy computer software also performs shipping, 
Ikbel generating and switching functions, and tracking status (during shipping and return) and 
shipping status. 

5 The proxy software (user prosy software and/or proxy computer software) includes 

filtering software, preferably the filtering software described herein 

3. Proxy computer(s): One or more proxy computers are owned and/or operated 
by the proxy system operator, and operate in conjunction with the proxy computer software 

10 to control transactions, including a secured address mapping (SAM) database that links 

purchase information with user's shipping address, and a transaction database for purchase, 
shipping and transaction information. Different proxy computers or software modules may 
perform different functions. For example, separate computers or modules may be used to 
perform privacy functions (e.g., handling communications between an on-line second party 

15 vendor and a first party user while maintaining user anonymity), transaction logging, 

shipping, label-switching, transaction inquiry handling and confirmation (e.g., linking the 
proxy system database and a shippers tracking database), etc. 

4. A browser program: Software or some other means of accessing the 
20 communications network stored on a user's PC or other appliance. 

5. Bank authorization software: Software stored on the proxy computer(s) 
and/or on one or more computers of one or more banks for submitting transaction 
information to the bank and receiving in retum authorization or denial information. 

25 

6. Proxy party credit system: In some embodiments, a credit card account or 
other credit arrangement by which credit of the proxy system operator is involved in the 
purchase of the goods from retailers. 

30 in addition, a user must have a credit card account, or other account information 

(debit, electronic check, etc.), which is authorized to be charged for goods ordered by a user. 

In the context of the Intemet/World Wide Web, the proxy system may operate as 

follows. 

I. Rejgistration procedure: A prospective user applies to the proxy system 
35 operator or to his, her or its credit card company to become a proxy system user. Upon 
approval by the proxy system operator and/or the credit card company (or as part of the 
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initial application), the user niust provide information such as his, her or its credit card 
nuniber(s) and expiration date(s), shipping preferences, and services depot and user 
address(es). A copy of the user proxy software is given, mailed or shipped to the user, v^ho 
loads it on his, her or its PC, e.g., as a plug-in to the browser on the PC. The user proxy 
5 software, in cooperation with the browser on the user's computer, can automatically go online 
to a proxy system computer or prompt the user to access the proxy system, and can complete 
the registration process autoniatically or in response to prompts, or a combination thereof. 
The registration process may require input by a user of secret inforrnation such as a PIN or 
pass word or biometric or other secret information that the user downloads or selects. 
10 Loading and dovsmloading menus and procedures are providing to facilitate loading of the 
user proxy software on the user's PC. 

IL User accesses the proxy system: The user elects to shop privately by 
actively clicking an icon, button, book mark or "favorites" or by some other typical means 
provided on the browser of the computer being used by the nov/ loaded user proxy software. 
15 Alternatively, the user proxy software may set private shopping as a default, whenever the 
browser is active so that a user must click an icon, etc. to browse conventionally. 

The user proxy software may first issue a request to the user to enter secret 
information such as a PIN, password, biometric, key or some other identifying information to 
determine that the user is authorized to transact with the user proxy software. (Since, the 
20 active participation of the user in initiating the privacy feature provides direct evidence of the 
user's wish to remain anonymous to second party vendors, users directly control their own 
personal information.) 
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III. Proxy system creates a session: 



The proxy computer software creates a 



unique session for each transaction, (or browsinjg session with a vendor) to identify 



transactions initiated by users in cooperation with the user proxy software. The unique 



session is assigned a unique identifier (e.g., #F) for identification and control purposes. 



5 



The user proxy software transmits to the proxy computer software unique and 



encrypted or secured numbers that are used by the proxy computer software to uniquely 
identify and index the user's unique proxy identifier (I) for the registered client software, 
current shopping activity, current order, if any, and user shipping address. 

With the proxy system active, the second party vendor's WebPage provided through 

10 the proxy system may appear "wrapped" or "framed" within a window, frame or panel 

provided by the proxy system, or as largely provided by the second party vendor but with a 
banner, unique cursor icon, or other indication that the proxy system is active but not 
appearing in full view. When a user browses through the proxy system, the proxy system 
acts as a portal to Web sites. Alternatively, if the user is currently visiting the second party 

15 vendor's WebPage independently of the proxy system and the user wants to now shop 

privately, the user accesses the proxy system, and the second party vendor's WebPage cached 
on the user's PC then appears in the proxy system's window, etc. 



within its WebPage to remind and direct the user of certain actions the user must or may take 
20 to hide their identity and personal information from the second party vendor, and may 
provide a final message asking whether all information on the screen is correct. 



The proxy system may provide banner messages, or scrolling or pop up messages 
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The second party vendor's WebPage, now embedded within the proxy system's 
"wrapping" WebPage or "bannered" by the proxy system, includes form-based fields 
requesting the name, address, salutation, shipping address and credit card information from 
the user, as well as perhaps other identifying, private or personal information. 
5 ' IV. The proxy svstem communicates with the second party vendor: The user 

proxy software on the user's PC provides menus called, for example, by right mouse button 
clicking on the user's mouse. (Alternatively, icons, buttons, or other easily accessible means 
that may be clicked or invoked can be provided, e.g., dragging and dropping information into 
fields of the WebPage. When the user first clicks in the NAME field of the second party 
10 vendor's WebPage form, the user may then right click the mouse to reveal a pop-up menu of 
choices, one of which may be NAME, for example. When the user chooses the NAME item 
from the right mouse button menu, the user proxy software provides the proxy system's 
identity. Alternatively, the proxy computer software, alone or in conjunction with the user 
proxy software, provides4he proxy system's identity. The proxy system's identity may be 
1 5 transmitted immediately or when a final submit action is made by the user. The user's true 
identity is therefore not transmitted to the second party vendor. 

For each field of the second party vendor's WebPage form that requests identifying 
information, right mouse button menus and clicks on the menu choices are provided by the 
proxy system to fill out the form entirely with the proxy system's own identity information. 
20 The clicking actions by the user essentially directs the proxy computer software to transmit 
the appropriate identity information of the proxy system. One such piece of information is 
credit card account information that is used by the second party vendor to charge and receive 
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payment. The proxy computer software does not have and does not transmit the user's credit 
card information, but rather the proxy's system's credit card information, which need not and 
preferably is not disclosed to the user. Other account information used by the proxy system 
in the transaction may be transmitted instead, e.g., debit account information, electronic 
5 check account information, or some other information that provides for a billing, or charge 
and payment transaction between the second party vendor and the proxy system. 

The proxy computer software also transmits as part of the identifying information the 
proxy system's shipping (e.g., depot) address. The user's real shipping address has either been 
previously stored or on file with the proxy system when the user registered, or the user may 
10 be asked to select shipping information from the proxy computer software while shopping 
and filling out the second party vendor's web form. In the latter case, the selected shipping 
address is transmitted to the proxy computer software for further processing. The proxy 
system does liot forward the user's shipping address to the second party vendor. Hence, the 
information provided to the second party vendor indicates that the second party vendor 
15 transacted with the proxy system, and the user's identity, account information and address is 
entirely unknown to the second party vendor in the transaction. 

The proxy system additionally removes and replaces any identifying, private and 
personal information from all data transmitted to the retailer as discussed herein. 

The proxy temporarily stores transaction information until a transaction is completed. 
20 V. The proxy system com pletes the transaction with the second party vendor: 

- When the user initiates completion of the order by clicking the appropriate button or 
icon in the second party vendor's WebPage (e.g., using the right mouse button menus 
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provided by the user proxy software) the proxy computer software also completes the 
transaction by submitting the now completed form but with the proxy system's identifying 
information which has been inserted by the proxy software. 

The second party vendor obtains authorization frorh the proxy system operator's bank 
(which may be the same as the first party user's bank) to charge the transaction to a credit 
card. The proxy computer software waits for and receives from the second party vendor 
confirmation information (e.g., a confirmation page) that the proxy computer software stores 
for future reference. This archived confirmation information includes all identifying 
information transmitted to the second party vendor as well as typically a complete list of 
items ordered from the second party vendor and credit card information. This transaction 
information may be stored on the proxy computer (in a transaction database) for later 
retrieval by the first party. The shipping information may be stored in a secured address 
mapping (SAM) database. 

The second party vendor also supplies a confirmation or order number or symbol 
(e.g., H) used to identify the purchase information displayed in the confirmation page. The 
unique session number (#F) is indexed to this confirmation or order information for fiiture 
processing and completion of shipping insUoictions to direct goods to their final destination 
(the user's shipping address or the proxy system's depot). This information (unique session 
number #F, any confirmation numbers or symbols H returned by the second party vendor, 
and other possible information produced by the proxy computer software working in 
conjunction with the user proxy software) is stored in the transaction database and may 
optionally be transmitted to the user's PC for local storage and fiiture reference. Information 
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supplied by a second party vendor and proxy system supplied information may be down- 
loaded to a user's PC to enable the user to contact the second party vendor anonymously to 
check on order status, or to arrange for return, or to report damage, etc. The down-loaded 
information must be sufficient to enable a user to contact a second party vendor and identify 
5 the concerned transaction while maintaining user anonymity. 

VI. The proxv system sub mits a transaction to the hank- The proxy system's 
server software now transmits purchasing information to a bank as if a customer (the user) 
were purchasing from the proxy system. The proxy system passes to the bank the user's 
proxy identifier that allows the bank to identify the user as a bank customer and access the 

10 customer's account. In an aUemative embodiment, the proxy system database may store user 
bank account information linked to the proxy identifier, and the proxy system may transmit 
this account information (encrypted or secured) to the bank. 

The interactions between the proxy system and the bank are protected by 
authentication and encryption of all information communicated. The proxy system enables 

15 the bank to configure these protection mechanisms in a way that enables only the bank to 
validate the identity of the user and to decode the information transmitted. 

The proxy system notes transaction, as well as the transaction amount that includes at 
least the transaction amount charged by second party vendor for the selected goods plus, 
optionally, additional fees that the proxy system niay charge for use of its service. The proxy 

20 system may thus charge the user an amount that is displayed to the user with confirmation 
information that the user's order and credit card transaction have been completed and 
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authorized. This information may be directly displayed to the user who may still be 
browsing, or it may be transmitted by some other means at a later time, for example email. 

The bank returns or communicates to the proxy system sufficient authorization 
information to allow the transaction to complete. The bank-supplied authorization 

5 information may optionally be linked with the previously stored confirmation information 
received from the second party vendor. In the normal course of business functions, the 
second party vendor charges the correspondent bank or credit card company of the proxy 
system for the proxy system's apparent purchase of goods. The second party vendor is 
charged a fee by the correspondent bank for the transaction, just as in non-anonymous 

10 transactions. 

However, hidden from the second party vendor, the credit card company or bank of 
the user credits the prbxy system for the purchase of goods and pays the proxy system part of 
the fee charged to the second party vendor by correspondent bank as the proxy system fee. 
The correspondent bank matches the transaction with the user's credit card bank, nets the 
15 transaction and pays the proxy system its fee. As discussed herein, a different fee 
arrangement may be provided to compensate the proxy system operator. 

As also discussed herein, the user's bank and the proxy system operator's bank may be 
different or the same.. 

The authorization and other transaction information with the bank is also stored in the 
20 transaction database. 

V. and VI. Reversed: Alternatively, the proxy system may first submit 
transaction information to the user's bank, wait for authorization and then complete the order 
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with the second party vendor and complete its communication with the user. If the bank 
denies the transaction, then the proxy system would not send confirmation or completion 
orders to the second party vendor and the user would be informed that their purchase is 
denied. Alternatively, the user's bank may have pre-authorized the user's transactions by 
5 providing certificates, or certified electronic cash and thus the user's bank need not be 
contacted during the transaction process. 

VII. Shipping: The second party vendor ships to the address provided by the 
proxy system (e.g., by a proxy shipping computer from the secured address mapping (SAM) 
database), which can not be linked to the user by the second party vendor. The proxy system 

10 previously indexed the user's shipping information with the previously stored confirmation 
information and unique shopping session or transaction identifier in the secured address 
mapping (SAM) database. This shipping information will include either the user*s shipping 
address or information designating user pick-up and/or tracking numbers. Where the user 
designated delivery to a shipping address, that address, indexed to the confirmation 

15 information, is used to generate a new shipping label. The packaged goods are then relabeled 
(or repackaged or wrapped if the identity of the good or the second party vendor is to be 
shielded) with the user-designated shipping address and shipped to the user. 

Where the user designated depot pick-up, the packaged goods can simply be stored 
for pick-up indexed by the shopping session or transaction identifier, or with sonie other 

20 information. Altematively, the packaged goods can be relabeled with other information 

useful in facilitating pick-up by the user. (As discussed above, the packaged goods may also 
be repackaged or wrapped to hide the identity of the good and the identity of the second party 

48 



wo 01/08066 PCT/USOO/19888 

vendor.) The proxy system notifies the user of shipment by the second party vendor, receipt 
at the depot, or both. The proxy system may provide the user and the depot with information 
other than the session identifier (#F) by which the user's package is identified and indexed at 
the depot. 

5 The procedure described above provides for communication over the Internet using 

the TC/IP protocol. However, certain communications between the first party users and the 
proxy computer(s) can be by e-mail, as can certain communications between the proxy 
computer(s) and third party computer. For example, after successful installation of the user 
proxy software, the user may register by e-mail (encrypted). The proxy may capture the 

10 registration data and forward it by e-mail to a database (e.g., the transaction database). 
Similarly, after an order has been successfully entered and stored, for example, in a 
temporary file, the proxy may capture the information and e-mail it to the database (e.g., the 
transaction database). Appropriate information may also be captured and e-mailed to the 
bank(s). In addition, confirmations, order information, tracking information and good receipt 

15 information may also be sent by e-mail as well as in response to requests transmitted by the 
browser. Thus, a user may access the order information and track order processing and 
shipping. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The invention is illustrated in the figures of the accompanying drawings which are 
20 meknt to be exemplary and not limiting. The description herein, including the appended 
claims, identifies various elements by specific names for convenience. These names are 
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intended to be generic in their application unless otherwise indicated. In the accompanying 
drawings: 

Fig. 1 is a block and flow diagram representing a conventional multi-party e- 
commerce transaction involving a first party consumer, a second party merchant, a shipper 
5 and a credit card clearing entity; 

Fig. 2 is a block and flow diagram of a conventional shipping transaction involving a 
sender, a recipient and a shipper; 

Fig. 3 is a block diagram of an embodiment of a system incorporating the invention 
for the purchase of goods over the Internet and payment for the goods; 
10 Fig. 3A is a block diagram of an alternate embodiment of system depicted in Fig. 3 

showing a delivery facility as part of the system; 

Fig. 3B is a block diagram of an embodiment of a system which provides for purchase 
and payment and delivery of goods over the Internet; 

Fig. 3C is a block diagram of a portion of system depicted in Fig. 3 showing an 
1 5 additional party (fourth party) as part of the system depicted in Fig, 3B; 

Figs. 3D is a block diagram of alternate on embodiment of a system incorporating the 
invention for the purchase of goods over the Internet without a proxy; 

Figs. 3E-3H are flow diagrams showmg credit approval and crediting/debiting of the 
parties involyed in a transaction for various embodiments; 
20 Fig. 4 is a block and flow diagram illustrating an electronic purchase made using the 

system depicted in Fig. 3B; 
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Figs. 4A-4Q illustrate specific steps and data flows carried out using the system 
depicted in Fig. 3B; 

Fig. 5 is a diagram illustrating transaction authorization and netting procedures carried 
out by the system depicted in Fig. 3B; 



depicted in Fig. 3B stored by the third party bank; 

Fig. 7 is a data diagram representing data generated in a transaction using the system 
depicted in Fig. 3B stored by the proxy; 

Fig. 8 is a table showing data generated during a transaction and the parties who have 
10 access to the data; 

Fig. 9 is a diagram showing IP protocol layers of IP packets processed by first party 
(user) computers, proxy party computers and second party computers in the system depicted 
in Fig. 3C; 



Fig. 10 is a flow chart illustrating an algorithm for filtering outgoing information from 



15 first party computers to the WWW in the system depicted in Fig. 3B; 

Fig. 1 1 is a flow chart illustrating an algorithm for filtering incoming information 
from the WWW to first party computers in the system depicted in Fig. 3B; 

Fig. 12 is a flow chart illustrating authorization of a purchase from a first party 
computer in the system depicted in Fig. 3B; 
20 Fig. 13 is a block and flow chart illustrating shipping, relabeling and delivery of a 

good purchased, for example, using the system depicted in Fig. 3B; and 
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Fig. 14 is a block and flow chart illustrating operation of depot pick-up of a good 
purchased, for example, using the system depicted in Fig- 3B. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
As mentioned above, the invention provides methods and systems which enable users 
5 of a communications network such as the Internet to communicate, and/or order, and/or 

obtain or receive, and/or charge or electronically pay for deliverables over the network, while 
securing private and personal information of the users with respect to unauthorized parties 
and providing improved protection against fraud. Embodiments of the invention may or may 
not include a proxy, as discussed above. 
10 In the presently preferred embodiment, the methods and systems include a central 

proxy, and a system including a proxy is described below. 

The overall architecture of systems with a central proxy incorporating the invention 
can be implemented in different ways, some of which are illustrated in Figs. 3, 3A, 3B and 
3C which depict a system 100, IQOa, 100b, 100c linked by the Internet 102 and optionally by 
15 one or more secure transmission links 104 for conducting e-commerce over the Internet and 
World Wide Web between first party customers, represented by first party computers 106, 
and second party merchants, represented by second party computers 110 through a proxy 
system 1 12, 1 12a which includes proxy computer(s) 108 and proxy software 1 14, The proxy 
computer(s) 108 represent a proxy party or proxy system operator! A third party, represented 
20 by third party computer(s) 1 16, pays (credits) second party merchants for respective goods 
purchased by first party customers and debits the accounts of respective first party customers. 
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Referring to Fig. 3, the proxy system 1 12 may include one or more databases for 
storing transaction data. For example, a transaction database 115 that stores transaction data 
(e.g., as shown in Fig. 7) may be provided that links transaction data, as described below. 
Other parties such as the third party bank 1 1 6 may also have a database such as a transaction 
5 database 117 that stores transaction data (e.g., as shown in Fig. 6). As pointed out above, by 
logging data such as returns, complaints, delivery times, damaged goods, etc. in the proxy 
transaction data base, or in another database maintained by the proxy, vendor performance 
can be measured. 

The first party can elect to communicate and transact directly with the second party 
10 conventionally, as in Fig. 1, or through the proxy system 112 represented in Fig. 3. If 

privacy is wanted, communicating or transacting with a second party is handled through the 
proxy system 112. The proxy software 1 14 secures the first party's private and personal 
information with respect to unauthorized parties and provides information necessary for an e- 
commerce transaction which routes the transaction through the proxy system 1 12 and 
15 identifies the proxy party (i.e., the proxy system operator) as the transactor. 

The proxy software 114 may be executed by the proxy computer(s) 108, or distributed 
and executed by both first party computers 106 and proxy computer(s) 108. Fig. 3 depicts an 
embodiment in which the proxy software 1 14 is distributed, part 1 14a being executed by user 
computers 106 and part 1 14b being executed by proxy computer(s) 108. The first party 
20 computers 106 may function as client computers, and the proxy party computer(s) 108 and 
the third party computers 106 may function as server computers. For convenience, and to 
more easily differentiate the proxy software parts, proxy software 11 4a executed by first 
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party computers 106 is referred to as user proxy software 1 14a, and proxy software 1 14b 
executed by a proxy computer 108 is referred to proxy computer software 1 14b. 

A system 1 12a which may provide for delivery of physical goods, and as illustrated in 
Fig. 3 A, includes a physical or virtual delivery facility 1 18 to Which a good ordered by a first 
party customer is delivered while securing the identity of the first party. The delivery facility 

118 may be linked to a proxy computer 108 through the Intemet or a secure link 120, and 
may include one or more proxy computers 108. A secured address mapping (SAM) database 

119 may be provided to link users with their physical or electronic shipping addresses. The 
SAM 1 19 database may be located within a proxy computer 108 that communicates with first 
party computers or at a delivery facility 1 18, or at another location accessible over the 
Intemet (preferably over a secured channel). 

Thus, Figs. 3 and 3A respectively represent embodiments in which payment for 
purchase of a good is achieved over the Intemet while securing the private and personal 
information of the purchaser with respect to unauthorized parties, and in which physical 
delivery of a good ordered over the Intemet is achieved while securing the private and 
personal information of the purchaser with respect to unauthorized parties. In the preferred 
embodiment, the system 100b show in Fig. 3B provides for both payment and delivery and is 
represented by combining Figs. 3 and 3 A, i.e.. Fig. 3B includes the delivery facility 1 18 and 
the SAM database 1 19 at the delivery facility and/or the proxy computer(s) and/or at another 
location. 

In the systems 100, 100b depicted in Figs. 3 and 3B, both first parties and the proxy 
party have accounts with the third party 1 16 (bank or credit card company, etc.), and third 
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party 1 16 performs credit clearing and provides for payment (credit) to a second party and 
debiting of a first party involved in a particular transaction, and also crediting the proxy party 
with a part of the service charge, as described in more detail below. Fig. 3C illustrates a 



system 100b depicted in Fig. 3B. The third party 1 16a may be a bank or credit card 
company, etc., as in Fig. 3B, v^ith which a first party has an account, and the fourth party 124 
may be another bank or credit card company with which the proxy party has an account. 
Third party 1 16a clears credit card transactions with respect to the first party and fourth party 
124 clears credit card transactions with respect to the proxy party. The third and fourth 
parties settle, where, generally, the fourth party pays the second party, and debits the proxy 
part/s account with the fourth party, and the third party pays the proxy party by crediting the 
proxy party's account with the fourth party and debits the first party's account with the third 
party, as described in more detail below. 

Fig. 3D shows the embodiment that does not require a proxy. System lOOd includes 
first party computers 106 which include a browser 122 and altering software 1 14c which 
performs the filtering described in connection with the proxy software. System lOOd also 
includes a delivery facility similar to delivery facility 118 but operated by the third party 116. 
Second party computers 110 and a third party computer 1 16b are similar to those in system 
lOOb shown in Fig. 3B. System lOOd may also include a central transaction or proxy 
database 1 15a which stores transaction data for safe keeping and later retrieval by the parties 
in the event of a return, or a dispute, etc. 



system lOOc which includes two parties, third party 1 16a and fourth party 124, involved in 
credit clearing and payment for a purchase, and represents an alternate embodiment of the 
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Referring to Fig. 3B, each first party computer 106 accesses the Internet and navigates 
the World Wide Web with browser software 122 (e.g., Internet Explorer® and Netscape 
Navigator®). A first party computer 106 may access the Internet and navigate directly 
without using the proxy system 1 12, or through proxy computer(s) 108 using the proxy 
5 system 1 12, as described below. 

Operation of the system 100b is described with reference to Fig. 3B and Fig. 4. In the 
flow diagram of Fig. 4, the first party is referred to as "Customer C", or simply "the 
customer", the second party as "Retailer R", or simply "the retailer", the proxy party as 
"iPrivacy", the third party as "Bank B", or simply "the bank", and the delivery facility 118 as 
10 "A: Shipping Depot/Transship", or simply as "the depot". In Fig. 4, the customer block is 
referenced by 106 consistent with the first party cpmputer(s) 106 in Fig. 3, the iPrivacy block 
by 108 consistent with the proxy computer(s) 108 in Fig. 3, the retailer block by 1 10 
consistent with the second party coihputer(s) 1 10 in Fig. 3, the bank block 1 16 consistent 
with the third party computer(s) 1 16 in Fig. 3, and the depot block by 1 18 consistent with the 
15 delivery facility 118 in Fig. 3A. 

Referring to Figs. 3B and 4, the proxy software 1 14 extends an API (the WWW 
browser 122) with software to monitor, filter and reroute interactions between the browser 
122 and second party computers 110 (e.g., WWW servers). The proxy software 1 14 provides 
anon3ani2ing transformations of these interactions to assure the customer's privacy, and 
20 eliminates from the transaction all explicit and implicit information identifying the customer 
and issues transaction information to the retailer with the proxy system's own identifying 
information, including financial charging information and a "first hop" shipping address fi-om 
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which the ordered good may be trans-shipped or held for customer pick up. The proxy 
software 1 14 monitors and filters all data exchanged between the customer computer 106 and 
the merchant computer 110 and removes any data that may compromise customer privacy. 
For example, cookies and agents dispatched by merchant computers 1 10 to customer 

5 computers 106 are eliminated. 

Referring to Fig. 4, the customer computer 106 has a physical address G and an IP 
address G', and user proxy software 11 4a by which the computer 106 accesses the Internet 
through a proxy computer 108 for anonymous WWW browsing and e-commerce. The user 
proxy software 1 14a is registered to Customer C under proxy identifier I, and can be invoked 

10 with PINs, passwords, biometrics, etc. The proxy identifier may have one or more fields or 
other means to identify such users, and the proxy computer software may store data relating 
to such users. Also, more than one copy of user proxy software 1 14a may be loaded on the 
same PC and registered to different users, or loaded on different computers and registered to 
the same user. 

15 Assume that the browser and the user proxy software are active on the customer 

computer 106 at Time T. Referring to Figs. 4 and 4 A, in step 1, the Customer C provides or 
clicks a URL R of a WebPage that he or she wants to visit, which is transmitted (step 2, Fig. 
4B) to a proxy computer 108 having a physical shipping address (Depot) A and an IP address 
A', a public proxy system identifier P, and a credit card account D with the bank B. As 

20 discussed herein, the user proxy software 1 14a strips at least the Customer C's IP address G* 
from the message and substitutes the proxy computer's IP address A'. However, further 
filtering may be carried out by the user proxy software 1 14a and/or the proxy computer 
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software 1 14b, as described below. 

Referring to Figs. 4 and 4C, in step 3, the proxy computer 108 transmits the altered 
message from the customer computer 1 06 to the retailer R, providing the retailer with the 
proxy system identifier P. The retailer responds in step 4 (Fig. 4D) with a return message to 
5 the proxy computer 108. The proxy computer 108 analyzes the message, and may filter or 
alter the message depending upon content before forwarding it to the customer computer 1 06 
in step 5 (Fig. 4D). Assume that the message forwarded in step 5 includes a form portion, 
i.e., a portion which requests that the customer supply information such as order information, 
name, address, credit card information, etc. In one embodiment, the proxy computer 

10 software 1 14b on the proxy computer 1 08 may filter out form portions requesting private 
information and forward only the order portions of the form, which the user fills in (step 6, 
Fig. 4E). In another embodiment, the proxy computer 1 08 may forward the entire message 
and rely on user proxy software 1 14a on the user computer 106 or software transmitted with 
the message to warn or prevent a user from entering private information. In either case, a 

15 filled out form is returned (step 7, Fig. 4E) to the proxy computer 108, which generates a 
unique session number #F and provides it to the user computer 106 in step 7.5 (Fig. 4E). 

A final shipping address designated by the first party and the shopping session 
number is stored in the secured address mapping (SAM) database 119 (Fig. 3B) along with 
tracking numbers and used later by the trans-shipper and depot to route the physical delivery 
20 correctly. 

The total purchase price is determined from the good(s) ordered on the form (Fig. 4F), 
and the proxy computer 108 generates the ordered item(s) X and the price amount $Y. The 
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proxy system has now generated "Item X, "Amount $Y", "Proxy I" and "Session #F". At this 
point, the proxy system operator obtains authorization to charge the user's credit card prior to 
forwarding order information to the retailer. In step 8 (Fig. 4G), the proxy computer 108 
forwards to the bank B a secured message including the customer's proxy identifier I, the 
5 proxy's identity P, the amount of the requested transaction $Y, and the session (transaction) 
identifier #F, and requests credit authorization for the transaction. Depending upon business 
relationships, the retailer's identity R may have to be supplied (e.g., as a fraud prevention 
measure). The bank B already has the customer's account information which is accessed 
from the customer's proxy identifier I. (The customer's credit card number is not transmitted 
10 over the Internet, and is not subject to theft or misuse, thereby reducing fraud.) If 

authorization is denied (Fig. 4H), the session is ended, preferably by requesting the user to 
contact his, her or its bank. 

In another embodiment (Figs. 4G and 4K), the proxy identifier I and the customer's 
credit card number Z are held by the proxy system, and are sent to the bank B for credit 
15 authorization. The proxy system transacts with the retailer usirig the proxy system's credit 
card D. If the proxy system sends customer transaction information to the customer's bank 
B, and the proxy system sends transaction information to the proxy system's bank B', then the 
proxy system will need a credit line with B' (fourth party 124 in Fig. 3C) in advance of 
transacting. 

20 If authorization is provided, the bank B in step 9 (Fig. 41) authorizes credit for the 

concerned transaction and forwards authorization information W to the proxy computer 108, 
adds the following (Fig. 4J) to the previously generated order information (item identification 
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X and amount $Y): the proxy system operator's proxy identifier P, the session identifier #F, 
the proxy system operator's credit card number D. the proxy system operator's depot shipping 
address for delivery A. The user's identity transmitted to the retailer R is P#F, a unique 
proxy identity preventing the retailer from linking this transaction with any other 
5 transactions. In step 10 (Fig. 4J), the proxy computer 108 forwards this information to the ' 
retailer R. The proxy (depot) delivery address A is linked to the user's delivery address G in 
the secured address mapping (SAM) database 119 (Fig. 3B). 

In step 1 1 (Fig. 4K), the retailer R requests authorization to charge the proxy system 
operator's credit card D. This request is made after the bank B approved the customer's credit 
10 in step 9 (Fig. 41), which is represented in Fig. 4K by the request taking place at Time T + 
If the proxy party and the first party have accounts with the same bank B, this request is 
made to bank B, as shown in Fig. 4. If not, the request is made to another bank B' (Fig. 4K) 
with which the proxy party has an account. If the proxy party's credit is approved, in step 12 
(Fig. 4L) the bank B (or B') provides the authorization Q to the retailer. 
15 At this point (Fig. 4M), all authorizations have been provided, and the retailer in step 

13 provides the proxy computer 108 with shipper tracking number J for the shipment from 
the retailer to the shipping depot (the first hop), and/or the order number O, which the proxy 
computer 108 forwards to the user computer 106 in step 13.5. The tracking number J is also 
stored in the SAM 1 1 9 and linked to the user's address G and shopping session number #F. 
20 The retailer then ships the good in step 14 to the proxy system operator's shipping depot 
address A with labeling containing the proxy system operator's proxy identifier P and the 
session identifier #F. In step 15 (Fig. 4N). the shipping depot A acknowledges receipt of the 
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shipment and forwards to the proxy computer 108 acknowledgement of receipt of the 
shipped good identified by the session number #F, and a second hop tracking number or 
pick-up number J', also stored in the SAM database 119, and the proxy computer 108 
forwards this information to the user computer 106 in step 15.5. Depending upon 
arrangements with shippers and the proxy shipping depot A, the same tracking number J may 
be used for both the first hop shipment to the proxy shipping depot A and the second hop 
shipment to the customer. 

The proxy computer 108 in step 16 (Fig. 4 O) directs the deppt A (a) to ship the good 
to customer address G designated by the first user to the proxy system if the good is to be 
trans-shipped or (b) to hold it for pick-up ("C Picks Up"). The information needed for trans- 
shipping is contained in the SAM database 1 19 (Fig. 3B), which may be located at the 
delivery facility 1 18 or elsewhere. If the good is not to be trans-shipped, it is held at the 
depot A for pick-up, otherwise it is transshipped to the customer address G in step 17 (Fig. 4 
O). If the good is held for pick-up, the proxy computer is informed when the good is picked 
up. If it is transshipped, in step 1 8 (Fig. 4P) confirmation of receipt (H) by the customer is 
provided to the shipping depot A , which informs (provides H plus #F to) the proxy computer 
108 in step 19. 

The proxy computer 108 confirms to the bank B in step 20 (Fig. 4Q) that the good 
was shipped by providing the session identifier #F and the confirmation H. In step 21, the 
bank B nets the transactions as illustrated in Fig. 5, including payment of a fee to the proxy 
party, as follows: the Customer C is charged $Y; and settles with the bank B; the retailer R is 
paid $Y less the customary transaction fee by the bank B; and the proxy party (iPrivacy) is 
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paid a percentage of the transaction fee by the bank B. The bank B's transaction data, stored 



in a transaction database 117 (Fig. 3B), is shown in Fig. 7, where time T indicates 
transactions relating to the Customer C, and time "T + n" indicates transactions relating to 
the proxy party (iPrivacy). Fig. 7 shows the data generated by the transaction which the 
proxy party can store in the transaction database 1 15 (Fig. 3B), and where appropriate, make 
available to others. 

The proxy tracking numbers J and J' are provided via the SAM database 1 1 9 (Fig. 3B) 
and to the user through the proxy system or via email to the user for the user to track the 
delivery. The retailer R does not receive the second hop tracking number J'. . . 

In the embodiment described above, the session identifier #F is the data key to the 
data record for the transaction. 

Variations of the transaction represented in Fig. 4 are possible and contemplated. As 
discussed above, in another embodiment represented in Fig. 3C, two banks are involved: one 
as the credit card company of the user (third party) and the other as the credit card company 
of the proxy (fourth party). 

Fig. 3B shows the authorization, crediting and debiting steps where one bank in 
involved, and Fig. 3C where two banks are involved. Fig. 3F shows authorization, crediting 
and debiting where two banks are involved and the proxy party is eliminated from the 
authorization, crediting, debiting and liability chains. Fig. 3G shows authorization, crediting 
and debiting where no proxy is involved. 

Referring to Fig. 4, the authorization steps 11 , 1 2 are between the second party vendor 
and the proxy system operator's bank, and the authorization steps 8 and 9 are between the 
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proxy system and the user's bank. The order of the authorizations 8, 9 and 11,12 may be 



reversed if desired. The vendor charges the purchase price to the proxy system operator's 
bank and the proxy system charges the purchase price to user's bank, and netting provides the 
two banks and the proxy system with part of the bank fee. Depending upon the 

5 arrangement, identification of the good may be withheld from both banks and the identity of 
the vendor may be withheld from the user's bank. 

The table in Fig. 8 summarizes the transaction data available to various parties. 
Variations are possible regarding data available to the various parties to a transaction, some 
of which are indicated in the table shown in Fig. 8. The table in Fig. 8 is meant to be 

10 exemplary. 

Referring to Figs. 3, 3A-3C, the user proxy software 1 14a extends a user's WWW 
browser to monitor, filter and reroute interactions between the browser and WWW servers 
(retailers R). The user proxy software 1 14a and/the proxy computer software 1 14b provide 
anonymizing transformations of these interactions to assure user's privacy, as briefly 

15 discussed above and in more detail below. 

Fig. 9 depicts the various protocol layers of IP packets processed by first party (user) 
computers, proxy party computers and second party computers. With the user proxy 
software 1 14a active, the proxy computer software 1 14a strips the user computer's IP address 
G' (Fig. 4) in cooperation with the User proxy software and substitutes the proxy computer's 

20 IP address (identifier A'), which redirects the messages to the respective destination WWW 
server (second party retailer computer 110). (The user computer's IP address G' is needed by 
the proxy computer. Therefore, stripping is performed by the proxy computer software.) 
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The TCP protocol layer does not present privacy risks and the proxy computer software does 
not intervene in its processing. The HTTP protocol layer has various header fields that 
provide identification of the source browser system. The proxy computer software 114b 
replaces all information in these fields with headers that represent the proxy system that do 
not disclose private information about the customer's browser system. 

In addition, the proxy computer 108 monitors and filters private information in 
HTML documents. In particular, when a form is presented to the customer computer that 
includes identifying fields, the user can select a private channel mode on the customer 
computer browser and have the respective fields filled with information that identifies the 
proxy system instead, and does not compromise the user's information. The proxy computer 
also protects the user's system against access by Java agents to private data. 

For example, the HTTP header may be replaced and the header contents filtered. As 
part of the content filtering, the user proxy software and/or proxy computer software also 
removes private past history from the content portion of the message to be transmitted to the 
designated WebPage. The level of filtering may be made user selectable. 

Content filtering may be accomplished as follows, for example. 

^ • Filtering cookie data: Various transactions with WWW servere deposit 

cookie data on user's PC's. This cookie data is used to simplify access by users to various 
services and to maintain status of transactions between a WWW server and a browser. 
However, cookie data is often used to identify the user and correlate access to multiple 
services, thus compromising private data. The proxy software manages the cookie data to 
limit access to the data by external software. The proxy software allows access to cookies 
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only to the owner system that created it. Thus, a given WWW server can only access cookie 
data that it deposited but not other cookie data generated by others. 

2. Filtering data collected by active code: Some web pages may include 
active code such as Java applets (or Java scripts), or Active X. This code may access various 
5 files and data of the user's computer. The proxy system creates a protective shell around the 
interpreters of these active procedures (e.g., a Java virtual machine) that routes all accesses to 
such data to respective anonymizing data sources. 

There are alternate means of accomplishing the filtering of communications at the various 
layers in the protocol stack, from IP addresses on up to the HTTP layer and beyond. The 

10 filtering function that secures the user's private information can be implemented at the 

operating system layer, or as modules that are callable by existing operating system software, 
or as complete changes to the browser at the application level. For example, the client proxy 
software may be implemented as a completely new downloaded browser modified to filter 
and secure the user's private information, or as "plug in" software modules that are directly 

15 called by the user's browser to perform the filter fiinction, or as direct revisions of the 

underlying operating system modules (in the case of windows, rewriting and installing newer 
versions of Window's dynamic link library modules otherwise known as DLLs), or as device 
drivers that sit on top of the TCP/IP, software and filter the communications that flow to and 
from the protocol processing software, or "packet sniffing" software packages that capture 

20 communications packets that flow into and out of the PC client and that then may be used to 
filter the contents of those packets, or as wrapper technology, software that captuj-es any 
interactions with the operating system modules that filters the communication between these 

65 



BNSOOCID: <WO OlOaOfifiAl 



wo 01/08066 ^ 

PCT/USOO/19888 

modules. The latter technique is the preferred embodiment since the wrapper technology 
allows access to user private information to filter it while communicating via a transport 
protocol such as TCP/IP, and as well allows access to the operating system's file system so 
that cookies and privacy compromising code such as cgi scripts, or Java code, etc., maybe 
accessed and filtered. Robert Balzar of the University of Southern California Information 
Science Institute has made available information on Windows OS wrapper technology that 
intercepts Windows DLL calls. 

^- Replacing compromising procedures: With XML, information pages 
loaded by a server into a user PC may incorporate marks that activate compromising 
procedures. The meaning of such marks is defined by XSL and DTD files, processed by a 
local XML interpreter at the browser. The XSL files bind a mark to its meaning. The proxy 
system replaces compromising procedures defined by XSL files, with alternative XSL files 
that assign non-compromising procedures to retrieve anonymized data instead. This 
mechanism is not strictly necessary because the filtering described in 2 above Will prevent 
access to compromising data anyway; the main purpose of replacing XSL libraries is to 
accelerate and simplify filtering whenever possible. 

The proxy system 1 12 (Figs. 3, 3A-3C) runs two protection algorithms, one for 
outgoing information and one for incoming information. The algorithm for outgoing 
information is illustrated in the flow chart depicted in Fig. 10. In step 10. 1 the outgoing 
information to be sent by a browser, or any code activated by the browser, is captured and 
analyzed by the user proxy software 1 14a (Figs. 3, 3A-3C). This information is analyzed in 
step 10.2 to determine whether it includes private information; for example, user name and 
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password or a transaction form. If so, the private information is replaced with proxy system 
information (step 10.3) and the entire data is sent to the proxy computer 108 (step 10.4) 
where it is further processed. In step 5, all data is routed through the proxy computer 104 to 
hide the IP source address. Tunneling may be used to forward packets from the user proxy 
5 software 1 14a in the customer computers 106 to the proxy computer software 1 14b in the 
proxy computer 108, 

The flow chart in Fig. 1 1 illustrates the proxy system algorithm to handle incoming 
data arriving at a browser, or code activated by the browser. After accepting the data (step 
1 1 . 1), the user proxy software 1 14a (Figs. 3, 3A-3C) analyzes its contents to identify code 

10 that may be used to compromise the user private information. Such code can include HTML 
forms, or Java applets/scripts. If such code is found, the user proxy software 1 14a activates a 
protection wrapper to monitor and filter all interactions between this code and local resources 
(step 1 1 .3). The wrapper will, depending on privacy selection by the user, prevent code from 
accessing local resources that may compromise private information. Additionally, if such 

15 code requires user input of private information, the protection display activated in step 1 1 A 
enables the user to enter proxy system data instead of private information. 

The proxy computer(s) 108 (Figs. 3, 3A-3C) perform two major fiinctions. First, the 
proxy computer route IP packets between customer computers 106 (proxy clients) and 
second party vendor computers 1 10 (WWW servers) via respective tunnels that hide the IP 

20 source identity. This function is performed at the network protocol layer by respective 
routers/switches. Upon activation of the user proxy software 1 14a, the proxy computer 
software 1 14b and user proxy software 1 14a authenticate each other and then establish a 
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tunnel between them. The proxy computer strips the source IP envelope produced by the 
user proxy software and forwards the internal IP packets to the destination. This internal IP 
packet is configured with a proxy computer address as the source address. When an IP packet 
is returned to this source address, the proxy computer tunnels it to the respective user proxy 
5 software. 

Second, the proxy computer software 1 14b (Figs. 3, 3A-3C) interacts with the user 
proxy software 11 4a to privatize transactions between user computers 106 and respective 
transaction servers (second party vendor computers) 1 10. The user proxy software captures 
ft)rms used by user computers to handle transactions. The fields of these forms are replaced 

10 by the user proxy software with data identifying the proxy computer as the transacting entity. 
The proxy computer uses this data to obtain authorization fi-om a respective credit card 
clearing service for the transaction amount and then to submit a respective privatized 
transaction to the vendor computer, which sees only data identifying the proxy computer as 
the source of the transaction. 

1 5 The proxy computer algorithm that handles this credit processing is depicted in Fig. 

12. In step 12.1 the proxy computer obtains transaction data created by the user proxy 
software 1 14a (Figs. 3, 3A, 3B), and uses this data to extract the financial data needed to 
execute the transaction (step 12.2) and pursue clearing of the financial transaction with a 
credit card clearing entity (bank B, Fig. 4) (step 12.3). If the credit card entity approves the 

20 transaction (step 12.4) the proxy computer transacts on behalf of the user computer 106 with 
the retailer server 1 1 0 (step 1 2.5), the proxy computer becoming a proxy client to the retailer 
service. For example, the proxy computer will submit the transaction form of the retailer 
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filled with financial data and shipping address identifying the proxy computer as the client. 
In step 12.6 the proxy computer instructs the user proxy software on the transaction status 
(e.g., completed or denied) and the user proxy software presents the results to the respective 
user computer. 



deliverable goods that need to be sent to the customers. In order to hide a customer's shipping 
address, the packaged goods are labeled with a code, preferably machine readable such as a 
bar code, that identifies a proxy authorized, associated or ovmtd shipping facility as the 
J delivery address. In a label-switching embodiment, the proxy system shipping depot scans 

10 these labels and produces respective labels with the destination address designated by the 
customer. The package is relabeled (or repackaged or v^apped) and then sent to the 
customer-designated address. In a first hop, the shipper delivers the package sent by the 
retailer labeled with the unique session identifier #F to the proxy shipping depot 118 (Figs. 
3 A-3B). The proxy shipping depot A, uses this session identifier to generate a label with the 

15 customer designated address, and the customer's name. In case of retum, the proxy shipping 
depot A reverses the process and relabels the package with the respective identifier. This 
information is stored in the SAM database 1 1 9 (Fig. 3B), which may be located at the 
delivery facility. 



20 (customer), shippers and two proxy system entities (Fig. 3B, proxy software 1 14 and proxy 
shipping depot 1 18) within the box who are responsible for protecting the private information 
of the recipient/customer by creating a privacy protection barrier ^separating the 



5 



A retailer transacting with a customer (user) through the proxy system will produce 



Fig. 13 illustrates label switching and depicts the sender (retailer), recipient 
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sender/retailer from the recipient/customer. The proxy software brokers transactions 
between sender/retailer and recipient/ customer (e.g., for passing credit card payment) while 
protecting private information. The proxy shipping depot 1 18 performs label switching, and 
protects private information of the recipient/ customer through shipping and/or return. 
These roles of privacy protection may be provided by the same party or by different parties. 
For example, a shipper may provide the proxy shipping depot functions and the proxy party 
may provide the other functions, or the proxy party may provide all of the functions. 

Referring to Fig. 13, a transaction with label -switched shipping proceeds as follows. 
A recipient/customer concludes a transaction with a sender/retailer using the proxy software. 
The proxy software generates a unique (session) identifier (#F) of the transaction and in step 
13.1 provides it to the sender/retailer and recipient/customer. In step 13.2, the proxy software 
provides the unique identifier and the respective recipient identity and shipping address to the 
proxy shipping depot 118. In step 13.3, a package containing the ordered good labeled with 
the unique identifier is delivered to the proxy shipping depot 118, where a new shipping label 
is generated with tiie identifier and address of the recipient/customer and applied to the 
package (or the package is repackaged or wrapped etc. with the new label). In step 13.4, the 
relabeled package is delivered via a shipper to the address designated by the 
recipient/customer. To return a good while securing the recipient/customer's private 
information, in step 13.5, the proxy shipping depot 1 18 reverses the process, replacing the 
label with a unique identifier and notifying the proxy software of the relabeled shipment. 

The.above steps may involve multiple different media for communications and/or 
label switching. Specifically, in step 13.1, handling a transaction that results in shipping may 
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be conducted electronically (indicated by broken lines) over a computer network such as the 
Internet. Alternatively, it may be handled via a telephone call for a catalogue order; a fax 
transmission of an order; or any other form of communicatipns. Step 13.2 may be conducted 
through transmission of a message to the label-switching provider or by providing actual 
5 labels. In step 13.3, label-switching may too be handled in many ways. The unique identifier 
of a package may be coded in a bar code printed on a shipping label; alternatively it may be 
supplied as a number or a string of characters or any other form that uniquely identifies the 
package. The proxy shipping depot 118 will typically use special equipment to read the label 
and identify the recipient name and address. It may print this data on a new label to be placed 
10 on the package. Alternatively, it may provide the shipper with a file that can be used to 

generate the shipping address on a computer screen by scanning the label. This enables the 
shipper to deliver the package directly based on the original identifier. 

Label-switched shipping accomplishes the following: (a) two way privacy protection; 
(b) two-way verifiability through complete tracing of each shipping stage; (c) one-time perr 
15 shipping privacy; and (d) full coordination and exchange of data with all entities participating 
in a transaction. Thus, label-switched privacy-protection accomplishes the primary goals 
identified above. There is, however, an extra cost in the transaction for handling the label 
switching. Such costs are scalable and are incurred per shipment not per recipient or sender 
as with the costs of POB-based techniques. The alternative method of delivery, depot pick- 
20 up, does not introduce additional costs and, in fact, can result in cost savings compared to 
current shipping. 
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One-time Virtual Mailbox (OVM) technique for privacy-protected shipping operates as 
follows. This technique is called one-time virtual mailbox because the OVM provider (e.g., 
the proxy shipping depot 1 1 8) functions as if a virtual mailbox has been opened and 
terminated for a package and the recipient must use a secret key to retrieve its contents. 
Referring to Fig. 14, step 14.1 is the same as step 13.1 described above for label-switched 
shipping. In steps 14.2 and 14.3, the sender/retailer ships the package via a shipper to the 
address of an OVM provider depot (e.g., the proxy shipping depot 1 18) with a unique 
identifier printed on the package. For example, OVM77432572980975, 10 Main Street, Any 
Town, USA 12345. The shipper (step 14.3) delivers the package to the OVM depot at the 
depot's address. The recipient claims the package (step 14.4) by providing the OVM depot 
with the unique session identifier #F on the package, and optionally other information such 
as the order number. Preferably, a second form of authorization is required, for example, 
secret information such as a biometric or a confidential code or password known to the 
recipient and the OVM provider. A return is accbmplished in step 14.5, where the process is 
reversed and simplified. The recipient/customer ships the return package directly to the 
sender/retailer with the respective OVM delivery identifier. 

Tracking of the user's delivery is accomplished easily by the SAM database 1 19 (Fig. 3B) 
and the trans-shipper's tracking system. By providing a tracking number to the Retailer R that 
only reveals the depot address, or another proxy address, the user's true address is secured 
from the retailer, who cannot "detennine the true address from the tracking system. The true 
tracking number provided to the user provides the means of tracking the shipment. 
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The OVM and the proxy tracking number technique accomplishes privacy-protected 
shipping, which may be implemented using various media, communications and transactions. 

Although the invention has been described and illustrated in connection with 
preferred embodiments, many variations and modifications, as will be apparent to those of 
5 skill in the art, may be made without departing from the spirit and scope of the invention. 
The invention as set forth in the appended clams is thus not limited to the precise details of 
construction set forth above as such variations and modifications are intended to be included 
within the spirit and scope of the invention as set forth in the claims. 
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CLAIMS 

1 . A method for a first party using a first device to order a jgood from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 

5 party or the first device, the method providing for a delivery address to which the good can 
be delivered while securing said information of the first party with respect to the second 
party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 
providing information from the first device directed to the second device for 
10 communicating with the second device or to order a good while securing said information of 
the first party; and 

providing a delivery address to the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party. 

2. The method of claim 1 wherein the step of providing information from the first 
device directed to the second device while securing said information comprises providing 
proxy identifying information specific to the first party or the first device but fi-om which the 
second party can not determine said information. 

3; The method of claim 1 wherein the step of providing information from the first 
20 device directed to the second device while securing said information comprises the step of 
altering information from the first device directed to the second device while securing said 
information of the first party. 
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4. The method of claim 3 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer. 

5. The method of claim 4 wherein the step of altering said information from the 
first device comprises altering said information from the first computer using proxy software 
associated with the first computer or a proxy computer, or both. 

6. The method of claim 5 wherein the step of providing the delivery address 
comprises using the proxy software to provide the delivery address. 

7. The method of claim 4 wherein the step of providing the delivery address 
comprises using proxy software associated with a proxy computer. 

8. The method of claim 1, 2, 3, 4, 5, 6 or 7 including the step of providing for 
delivery of the good to the delivery address. . 

9. The method of claim 8 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 
the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

10. The method of claini 9 including the step of making the good avjailable at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

11. The method of claim 10 including the step of providing a physical address, 
which may not secure said information of the first party, designated by the first party to the 
physical facility but not to the second party. 
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12. The method of claim 1 1 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

13. The method of claim 7 wherein the good is an electronically transmittable.file 
and the delivery address is an electronic address of a proxy computer, the step of providing 

5 for delivery of the good to the delivery address including the second party providing for 
electronic transmission of the file to the proxy computer. 

14. The method of claim 13 including the step of the proxy computer transmitting 
the file to an electronic address of the first party, v/hich may not secure said information of 
the first party, which is available to the proxy computer but not to the second party. 

10 15. The method of clam 2 wherein the good is an electronically transmittable file 

and the delivery address is an electronic address associated with the proxy identifying 
information of the first device, the step of providing for delivery of the good to the delivery 
address including the second party providing for electronic transmission of the file to the 
electronic address of the first device. 

15 16. The method of claim 3 wherein the step of altering information from the first 

device comprises altering at least a content protocol layer of the information. 

17. The method of claim 3 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 

20 computer, and the step of altering information from the first computer comprises altering at 
least a content protocol layer of the information. 
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18* The method of claim 17 wherein altering the information at least at a content 
layer comprises filtering cookie data. 

19. The method of claim 17 wherein altering the information at least at a content 
layer comprises filtering active code. 



layer comprises filtering compromising procedures. 

21 . The method of claim 1 wherein the communications network is the Internet 
and the identifying information is an identity associated with the first party, and wherein the 
step of providing identifying information specific to the first party or the first device but from 

10 which the second party can not determine said information comprises providing a proxy 
identity for the first party. 

22. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 

15 party or the first device, the method providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising the steps of: 



providing information from the first device directed to the second device for 
20 communicating with the second device or to order a good while securing said inforniation of 
the first party; 
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providing for approval or disapproval of the purchase of the good by the first party 
from the second party based on financial information relating to the first party, and if the 
purchase is approved, providing for payment to the second party while securing said 
information of the first party with respect to the second party; and 
5 providing a delivery address to the second party to which the good is to be delivered, 

the delivery address not enabling the second party to determine said information of the first 
party. 

23. The method of claim 22 wherein the step of providing for approval or 
disapproval comprises another party providing for approval or disapproval of the purchase 

10 based on financial information relating to the first party, and wherein the step of providing 
for payment if the purchase is approved comprises the other party providing for payment to 
the second party and providing for debiting of the first party. 

24. The method of claim 23 wherein the step of providing for approval or 
disapproval compriseis the oflier party being a third party who approves or disapproves of the 

15 purchase based on financial information relating to the first party, and wherein the step of 
providing for payment if the purchase is approved comprises the third party paying the 
second party and debiting the first party. 

25. The method of claim 23 wherein the step providing for approval or disapproval 
comprises the other party arranging with at least a third party to provide for approval or 

20 disapproval of the purchase based on the financial information relating to the first party, and 
wherein the step of providing for payment comprises the other party arranging with at least 
the third party to provide for payment to the second party and debiting of the first party. 
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26. The method of claim 23 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer, and wherein the step of providing 
for approval or disapproval comprises the other party being a proxy party and using proxy 

5 software associated with the first computer or a proxy computer, or both, and wherein the 
step of providing for payment if the purchase is approved comprises the proxy party using 
the proxy software to provide for payment to the second party and debiting of the first party. 

27. The method of claim 26 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with at least a third party to provide for 

10 approval or disapproval of the purchase based on the fin2incial information relating to the first 
party, and wherein the step of providing for payment comprised the proxy party arranging 
with the third party to provide for payment to the second party and debiting of the first party. 

28. The method pf claim 27 wherein the step of providing for approval or 
disapproval comprises the third party using a third computer communicating with the proxy 

15 computer to approve or disapprove the purchase based on financial information relating to 
the first party available to the third party, and wherein the step of providing for payment if 
the purchase is approved comprises the third party electronically crediting the second party 
and electronically debiting the first party. 

29. The method of claim 28 wherein the step of debiting includes debiting a credit 
20 card account of the first peirty. 

30. The method of claim 28 or 29 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in purchases in which the third 
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party also participates. 

31. The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party participates. 

32. The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

33. The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party to participate in 
purchases made by first parties from second parties. 

34. The method of claim 26 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with a third party using a third computer to 
provide for approval or disapproval of the purchase based on financial infonnation relating to 
the first party and a fourth party using a fourth computer to provide for approval or 
disapproval of the punihase based on financial infonnation relating to the proxy party, 
wherein the step of providing for payment to the second party includes the fourth party 
electronically crediting an account of the second party and electronically debiting an account 
of the proxy party, and the third party electronically crediting an account of the proxy party 
and electronically debiting an account of the first party. 

35. The method of claim 34 wheriein the step of debiting the account of the first 
party includes debiting a credit card account of the first party. 
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36. The method of claim 34 or 35 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in purchases in which the third 
party or the fourth party also participates. 

37. The method of claim 36 wherein the step of providing for payment of the fee 
5 to the proxy party comprises payment of a fee for each purchase by a first party from a 

second party in which the third party or the fourth party participates. 

3 8. The method of claim 36 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

10 39. The method of claim 36 wherein the step of providing for payment of the fee 

to the proxy party comprises payment of a fee for enabling the third party or the fourth party 
to participate in purchases made by first parties from second parties. 

40. The method of claim 28 wherein the step of providing for payment to the 
second party comprises the third party assuming all responsibility and financial liability for 

1 5 paying the second party and collecting from the first party, and including the step of the third 
party paying a fee to the proxy party. 

41. The method of claim 28 wherein the proxy party receives information 
concerning transactions between first parties and second parties including said information of 
the first party, the method including the step of the proxy party providing certain of said 

20 information of the first party to the third party beyond information required by the third party 
to carry out the approval and disapproval step and the payment step. 
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42. The method of claim 28 wherein the proxy party associated with the proxy 
software and the first party both have accounts with the third party, and wherein the step of 
providing payment to the second party includes the proxy software providing the second 
party with information of the proxy party's account with the third party, and if the third party 

5 authorizes payment, the third party paying the second party and debiting the first party. 

43. The method of claim 42 wherein the step of providing payment includes the 
third party electronically debiting a credit card account of the first party. 

44. The method of claim 42 or 43 comprising the step of the third party providing 
payment of a fee to the proxy party. 

'° . The method of claim 22 wherein the step of providing information from the 

first device directed to the second device while securing said information comprises 
providing identifying information specific to the first party or the first device but from which 
the second party can not determine Said information. . 

46. The method of claim 22 wherein the step of providing information from the 

1 5 first device directed to the second device while securing said information comprises the step 
of altering information from the first device directed to the second device. 

47. The method of claim 46 wherein the step of altering information from the first 
device comprises altering at least a content protocol layer of said information. 

48. The method ofclaim 46 wherein the step ofthe first and second parties. 
20 communicating with each other over the network comprises the first party using a first 

computer and the second party using a second computer. 



82 



wo 01/08066 PCT/USOO/19888 

49. The method of claim 48 wherein the step of altering information from the first 
device comprises altering said information from the first computer using proxy software 
associated with the first computer or a proxy computer, or both. 

50. The method of claim 46 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 
computer, and the step of altering information from the first computer comprises altering at 
least a content protocol layer the information. 

5 1 . The method of claim 50 wherein altering information at least at a content layer 
comprises filtering cookie data. 

52. The method of claim 50 wherein altering information at least at a content layer 
comprises filtering active code. 

53. The method of claim 50 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 

54. The method of claim 26 wherein the step of providing the delivery address 
comprises using the proxy software. 

55. The method of claim 22 wherein the step of providing the delivery address 
comprises using proxy software associated with a proxy computer. 

56. The method of claim 22, 54 or 55 including the step of providing for delivery 
of the good to the delivery address. 

57. The method of claim 56 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 
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the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

58. The method of claim 57 including the step of making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

59. The imethod of claim 57 including the step of providing for the shipment of the 
good from the physical facility to a physical address, which may not secure said information 
of the first party, designated by the first party which is made available at the physical facility 
but not to the second party. 

60. The method of claim 56 wherein the good is an electronically transmittable file 
and the delivery address is an electronic address of a proxy computer, the step of providing 
for delivery of the good to the delivery address including the second party providing for 
electronic transmission of the file to the proxy computer. 

6 1 . The method of claim 60 including the step of the proxy computer transmitting 
the file to an electronic address of the first party which is available at the proxy computer but 
not to the second party. 

62. The method of clam 45 wherein the good is an electronically transmittable file 
and the delivery address is an electronic address associated with the identifying information 
of the first device, which may not secure said information of the first party, and wherein the 
step of providing for delivery of the good to the delivery address includes the second party 
providing for electronic transmission of the file to the electronic address associated with the 
identifying information of the first device. 
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63. The method of claim 45 wherein the communications network is the Internet 
and the identifying information is an identity associated with the first party, and wherein the 
step of providing identifying information specific to the first party or the first device from 
which the second party can not determine said information comprises providing a proxy 

5 identity for the first party. 

64. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing payment to the second party while securing 

10 said information of the first party with respect to the second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 
providing information from the first device directed to the second device for 

communicating with the second device or to order a good while securing said information of 

the first party; and 

15 another party providing for approval or disapproval by at least a third party of the 

purchase of the good by the first party from the second party based on financial information 
relating to the first party accessible by the third party, and if the purchase is approved, 
providing for payment to the second party while securing said information of the first party 
with respect to the second party. 

20 65. The method of claim 64 wherein the step of providing for payment if the 

purchase is approved comprises the other party providing for debiting of the first party. 
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or 



66. The method of claim 65 wherein the step of providing for approval 
disapproval comprises the other party being a third party who approves or disapproves of the 
purchase based on financial information relating to the first party, and wherein the step of 
providing for payment iif the purchase is approved comprises the third party paying the 

5 second party and debiting the first party. 

67. The method of claim 64 wherein the step providing for approval or disapproval 
comprises arranging with at least a third party to provide for approval or disapproval of the 
purchase based on the financial information relating to the first party, and wherein the step of 
providing for payment comprises the other party arranging with at least the third party to 

1 0 provide payment to the second party and debiting of the first party. 

68. The method ofclaim 67 wherein the step ofdie first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer, and wherein the step of providing 
for approval or disapproval comprises the other party being a proxy party and using proxy 

1 5 software associated with the first computer or a proxy computer, or both arid wherein the step 
of providing for payment if the purchase is approved comprises the other party using the 
proxy software to provide for payment to the second party and debiting of the first party. 

69. The method of claim 68 wherein the step of providing for approval .or 
disapproval comprises the proxy party arranging with a third party to provide for approval or 

20 disapproval of the purchase based on the financial inforaiation relating to the firet party, and 
wherein the step of providing for payment comprises the proxy party arranging with a third 
party to provide for payment to the second party and debiting of the first party. 
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70. The method of claim 69 wherein the step of providing for approval or 
disapproval comprises the third party using a third computer communicating with the proxy 
computer to approve or disapprove the purchase based on financial information relating to 
the first party available to the third party, and wherein the step of providing for payment if 

5 the purchase is approved comprises the third party electronically crediting the second party 
and electronically debiting the first party. 

71 . The method of claim 70 wherein the step of debiting the account of the first 
party includes debiting a credit card account of the first party. 

72. The method of claim 70 or 71 comprising the step of providing for payment of 
10 a fee to the proxy party for the proxy party's participation in purchases in which the third 

party also participates. 

73. The method of claim 72 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party participates. 

1 5 74. The method of claim 72 wherein the step of providing for payment of the fee 

to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

75. The method of claim 72 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party to participate in 

20 purchases made by first parties from second parties. 

76. The method of claim 68 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with a third party using a third computer to 
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provide for approval or disapproval of the purchase based on financial information relating to 
the first party and a fourth party using a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy party, 
wherein the step of providing for payment to the second party includes the fourth party 

5 electronically crediting an account of the second party and electronically debiting an account 
of the proxy party, and the third party electronically crediting an account of the proxy party 
and electronically debiting an account of the first party. 

77. The method of claim 76 wherein the step of debiting the account of the first 
party includes debiting a credit card account of the first party. 

10 78. The method of claim 76 or 77 comprising the step of providing for payment of 

a fee to the proxy party for the proxy party's participation in purchases in which the third 
party or the fourth party also participates. 

79. The method of claim 78 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 

15 second party in which the third party or the fourth party participates. 

80. The method of claim 78 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

81 . The method of claim 78 wherein the step of providing for payment of the fee 
20 to the proxy party comprises payment of a fee for enabling the third party or the fourth party 

to participate in purchases made by first parties from second parties. 
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82. The method of claim 70 wherein the step of providing for payment to the 
second party comprises the third party assuming all responsibility and financial liability for 
paying the second party and collecting from the first party, and including the step of the third 
party paying a fee to the proxy party. 

5 83. The method of claim 82 wherein the proxy party receives information 

concerning transactions between first parties and second parties including said information of 
the first party, the method including the step of the proxy party providing certain of said 
information of the first party to the third party beyond information required by the third party 
to carry out the approval and disapproval step and the payment step. 

10 84. The method ofclaim 70 wherein the proxy party and the first party both have 

accounts with the third party, and wherein the step of providing payment to the second party 
includes the proxy software providing the second party with information of the proxy party's 
account with the third party, and if the third party authorizes payment, the third party paying 
the second party and debiting the first party. 

15 85. The method ofclaim 84 wherein the step of providing payment includes the 

third party electronically debiting a credit card account of the first party. 

86. The method of claim 84 or 85 comprisinjg the step of the third party providing 
payment of a fee to the proxy party. 

87. The method ofclaim 64 wherein the step ofproviding information from the 
20 first device directed to the second device while securing said information comprises 

providing identifying infonnation specific to the first party or the first device but from which 
the second party can not determine said information. 
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88. The method of claim 64 wherein the step of providing information from the 
first device directed to the second device while securing said information comprises the step 
of altering information from the first device directed to the second device. 

89. The method of claim 88 wherein the step of altering said information from the 
first device comprises altering at least a content protocol layer of said information. 

90. The method of claim 88 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second cornputer. 

91 . The method of claim 90 wherein the step of altering said information from the 
first device comprises altering said information from the first computer using proxy software 
associated with the first computer or a proxy computer,. or both. 

92. The method of claim 88 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 
computer, and the step of altering said information from the first computer comprises altering 
at least a content protocol layer said information. 

93. The method of claim 92 wherein altering said information at least at a content 
layer comprises filtering cookie data. 

94. The method of claim 92 wherein altering said information at least at a content 
layer comprises filtering active code. 

95. The method of claim 92 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 
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96. The method of claim 87 wherein the communications network is the Internet 
and the identifying information is an identity associated with the first party, and wherein the 
step of providing identifying information specific to the first party or the first device from 
which the second party can not determine said information comprises providing a proxy 
identity for the first party. 

97. A method for a firet party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing payment to the second party while securing 
said information of the first party with respect to the second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 

altering said information from the fu^t device directed to the second device to prevent 
the second party from determining said information of the first party; and 

providing for approval or disapproval of the purchase by a first party from a second 
party based on (a) an account that the first party has with a third party and (b) an account that 
a proxy party has with a fourth party while securing said information with respect to the 
second party, the third party approving or disapproving the purchase based on account 
information relating to the first party, and the fourth party approving or disapproving the 
purchase based on and account information relating to the proxy party with the fourth party, 
and if the third and fourth parties approve the purchase, the fourth party electronically 
crediting the second party and electronically debiting the proxy party, and the third party 
electronically crediting the account of the proxy party and electronically debiting the first 
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party. 

98. The method of claim 97 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer, the second party using a second computer and the proxy party using a proxy 
computer, and wherein the step of the third party approving or disapproving the purchase 
comprises the third computer communicating with the proxy computer, and wherein the step 
of the fourth party approving or disapproving the purchase comprises a fourth computer 
communicating with the proxy computer and the second computer. 

99. The method of claim 98 wherein the step of debiting the first party comprises 
debiting a credit card account of the first party. 

100. The method of claim 98 or 99 wherein the step of debiting the proxy party 
comprises debiting a credit card account of the proxy party. 

101. The method of claim 100 including the step of providing for payment of the 
fee to the proxy party. 

102. The method of claim 101 wherein the step of providing for payment of a fee to 
the proxy party comprises payment of a fee for each purchase by a first party from a second 
party in which the third party or the fourth party participates. 

103. The method of claim 101 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

104. The method of claim 101 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party or the fourth party 
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to participate in purchases made by first parties from second parties, 

105. The method of claim 97 wherein the step of altering said information from the 
first device comprises altering at least a content protocol layer of said information. 

106. The method of claim 97 wherein the step of the first and second parties 



computer and the second party using a second computer. 

107. The method of claim 105 wherein the step of altering said information from 
the first device comprises altering said information from the first computer using proxy 
software associated with the first computer or a proxy computer, or both. 

10 108. The method of claim 97 wherein the communications network is the Internet, 

the step of the first and second parties communicating with each other over the network 
comprises the first party using a first cornputer and the second party using a second 
computer, and the step of altering said information from the first computer comprises altering 
at least a content protocol layer said information. 

15 109. The method of claim 108 wherein altering said information at least at a content 

layer comprises filtering cookie data. 

110. The method of claim 1 08 wherein altering said information at least at a content 
layer comprises filtering active code. 

111. The method of claim 1 08 wherein altering said inforrnation at least at a content 
20 layer comprises filtering compromising procedures. 

1 12. A system for a first party using a first computer to order a good from a second 
party using a second computer over a communications network linking the first and second 



5 



communicating with each other over the network comprises the first party using a first 
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computers, the first party having information of a personal or private nature specific to the 
first party or the first computer, the system providing for a delivery address to which the 
good can be delivered while securing said information of the first party with respect to the 
second party, comprising: 
5 the first computer having proxy identifying information which does not reveal said 

information of the first party; 

the first computer having software which 

alters information from the first computer directed to the second computer to prevent 
the second party from determining said information of the first party, and 
10 provides a delivery address to the second party to which the good is to be delivered, 

the delivery address not enabling the second party to determine said information of the first 
party. 

113, The system of claim 1 12 comprising a delivery means for delivering the good 
to the delivery address. 

,5 114, The system of claim 1 13 wherein the good is a physical good and the delivery 

address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

1 1 5. The system of claim 1 14 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 

20 require said information of the first party to be revealed at the physical facility. 

1 16. The system of claim 1 14 including means for physically shipping the good 
from the physical facility to a physical address designated by the first party which is made 
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available at the physical facility but not to the second party. 

1 1 7. The system of claim 1 1 6 including a database storing the physical address 
designated by the first party, at least part of said information of the first party, or information 
relating to the purchase by the first party, or both, and means for accessing the database using 

5 information relating to the purchase or said information of the first party stored in the 

database to obtain the physical address of the first party to which the good is to be shipped. 

118. The system of claim 1 1 2 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address associated with the proxy identifying 
information of the first computer which does not reveal said information, and wherein the 

10 delivery means comprises means for electronically transmitting the file to the first computer. 

1 1 9. The system of claim 1 1 5 including means for providing a first label for 
association with the good, the first label having the delivery address and unique information 
relating the good and the first party from which a physical address designated by the first 
party to which the good is to be reshipped can be identified, and means for providing a 

15 second label that has the physical address designated by the first party and which can replace 
the first label. 

120. The system of claim 1 19 wherein the means for providing a second label 
includes a database mapping the unique information and the physical address designated by 
the first party. 

20 121. The system of claim 1 19 including means for providing a label for association 

with the good, the label having the delivery address and unique information relating the good 
and the first party, and wherein the first computer software provides the unique information 
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122. The system of claim 1 12 wherein the first computer software alters at least a 
content protocol layer of the information. 

123. The system of claim 1 12 wherein the network is the Internet and the first 
computer software alters at least a content protocol layer of the information. 

124. The system of claim 123 wherein the first computer software filters cookie 

data. 

1 25. The system of claim 1 23 wherein the first computer software filters active 

code. 

126. The system of claim 123 wherein the first computer software filters 
compromising procedures. 

127. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for a delivery address to which the good can be 
delivered while securing said information of the first party with respect to the second party, 
comprising: 

a proxy device altering said information from the first device directed to the second 
device to prevent the second party from determining said information of the first party; and 

the proxy device providing a delivery address to the second party to which the good is 
to be delivered, the delivery address not enabling the second party to determine said 
information of the first party. 
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1 28. The system of claim 1 27 wherein the first device comprises a first computer 
and the second device comprises a second cornputer. 

1 29. The system of claim 127 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both, which alters information from the first computer. 

1 30. The system of claim 1 29 wherein the proxy software provides the delivery 
address to the second party. 

131. The system of claim 127, 128, 129 or 130 comprising a delivery means for 
delivering the good to the delivery address. 

1 32. The system of claim 1 3 1 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

133. The system of claim 132 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 

15 require said information of the first party to be revealed at the physical facility. 

1 34. The system of claim 1 32 including means for physically shipping the good 
from the physical facility to a physical address designated by the first party which is made 
available at the physical facility but not to the second party. 

135. The system of claim 1 3 1 wherein the good is an electronically transmittable 
20 file and the delivery address is an electronic address of a proxy computer, and wherein the 

delivery means comprises means for electronically transmitting the file to the proxy 
computer. 
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1 36. The system of claim 1 35 including means for transmitting the file to an 
electronic address of the first party which is available at the proxy computer but not to the 
second party. 

137. The system of claim 127 wherein the proxy device either redirects the good to 
a physical address designated by the first party using a proxy party who does not provide the 
second party with access to the address designated by the first party, or allows the good to be 
picked up by or on behalf of the first party anonymously. 

1 38. The system of claim 137 including a database storing the physical address 
designated by the first party, at least part of said information of the first party, or information 
relating to the purchase by the first party, or both, and means for accessing the database using 
information relating to the purchase or said information of the first party stored in the 
database to obtain the physical address of the first party to which the good is to be shipped. 

139. The system of claim 137 including means for providing a first label for 
association with the good, the first label having the delivery address and unique information 
relating the good and the first piarty with which the proxy party at the delivery address can 
identify a physical address designated by the first party to which the good is to be reshipped, 
and means for providing a second label that has the address designated by the first party and 
which can replace the first label. 

140. The system of claim 1 39 wherein the means for providing a second label 
includes a database mapping the unique information and the physical address designated by 
the first party. 
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141. The system of claim 1 39 including raieans for providing a label for association 
with the good, the label having the delivery address and unique information relating the good 
and the first party, and wherein the proxy software provides the unique information to the 
second party. 

5 142. The system of claim 127 wherein the proxy device alters at least a content 

protocol layer of said information. 

143. The system of claim 127 wherein the communications network is the Internet, 
the first device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 

10 content protocol layer of said information. 

144. The system of claim 143 wherein the proxy software filters cookie data. 

145. The system of claim 143 wherein the proxy software filters active code. 

146. The method of claim 143 wherein the proxy software filters compromising 
procedures. 

1 47. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 

20 with respect to the second paity, comprising: 

the first computer having identifying information which does not reveal said 
information of the first party; 
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the first computer having software which 

alters information from the first computer directed to the second computer to prevent 
the second party from determining said information of the first party, and 

provides a delivery address to the second party to which the good is to be delivered, 
5 the delivery address not enabling the second party to determine said information of the first 
party; and 

a third party computer providing for approval or disapproval of the purchase of the 
good by the first party from the second party based on financial information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
10 securing said information of the first party with respect to the second party. 

148. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
15 address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; 

the proxy device providing for approval or disapproval of the purchase of the good by 
20 the first party from the second party based on financial information relating to the first party, 
and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party; and 
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the proxy device providing a delivery address to the second party to which the good is 
to be delivered, the delivery address not enabling the second party to determine said 
information of the first party. 

149. The system of claim 148 wherein the first device comprises a first computer 
5 and the second device comprises a second computer. 

150. The system of claim 149 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both for providing for approval or disapproval of the purchase based on financial information 
of the first party, and if the purchase is approved, for providing for payment to the second 

10 party and debiting of the first party. 

151. The system of claim 1 50 comprising at least a third computer communicating 
with the proxy computer for approving or disapproving the purchase based on financial 
information of the first party available to the third party, and if the purchase is approved, for 
electronically crediting the second party and electronically debiting the first party. 

^52. The system of claim 151- comprising the third computer providing for 
payment of a fee to the proxy computer for the proxy computer's participation in purchases in 
which the third computer also participates. 

1 53. The system of claim 1 5 1 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 

20 computer. 

1 54. The system of claim 151 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
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made by first computers from second computers. 

155. The system of claim 147 comprising a third computer communicating with the 
proxy computer to provide for approval or disapproval of the purchase based on financial 
information relating to the first party and a fourth computer to provide for approval or 

5 disapproval of the purchase based on financial information relating to the proxy computer, 
and if the purchase is approved, the fourth computer electronically crediting of the second 
party and electronically debiting the proxy computer, and the third computer electronically 
crediting the proxy computer and electronically debiting of the first party. 

1 56. The system of claim 155 wherein the third computer debits a credit card 
10 account of the first party. 

157. The system of claim 1 55 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for he proxy 
computer's participation in purchases in which the third computer or the fourth computer also 
participates. 

• 1 5 158. The system of claim 1 55 comprising the third computer or the fourth 

computer, or both, providing for payment of the fee to the proxy computer for each purchase 
by a first party from a second party in which the third party or the fourth party participates. 

159. The system of claim 155 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 

20 computer. 

1 60. The system of claim 155 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
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made by first computers from second computers. 



161. The system of claim 1 55 comprising the fourth computer providing for 



payment of a fee to the proxy computer for enabling the fourth computer to participate in 
purchases made by first computers from second computers. 
^ 1 62. The system of claim 151 wherein a proxy computer receives information 

concerning transactions between first parties and second parties including said information of 
the first party, the proxy computer providing certain of said information of the first party to 
the third computer or the fourth computer, or both, beyond information required to provide 
for approval and disapproval of the purchase. 

10 163. The system of claim 148 wherein the proxy device alters at least a content 

protocol layer of said information. 

164. The method of claim 148 wherein the communications network is the Internet, 
the first device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 

15 content protocol layer of the information. 



165. 



The system of claim 164 wherein the proxy software filters cookie data. 



166. 



The system of claim 164 wherein the proxy software filters active code. 



167. 



The system of claim 164 wherein the proxy software filters compromising 



procedures. 
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168. The system of claim 149 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, 
both, which alters said information from the first computer. 
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169. The system of claim 168 wherein the proxy software provides the delivery to 
the second party. 

170. The system of claim 148, 149, 168 or 169 comprising a delivery means for 
delivering the good to the delivery address. 

5 • 171. The system of claim 170 wherein the good is a physical good and the delivery 

address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

172. The system of claim 170 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 

10 require said information of the first party to be revealed at the physical facility. 

173. The system of claim 170 including means for physically shipping the good 
from the physical facility to a physical address designated by the first party which is made 
available at the physical facility but not to the second party. 

174. The system of claim 173 including a database storing the physical address 

15 designated by the first party, at least part of said information of the first party, or information 
relating to the purchase by the first party, or both, and.means for accessing the database using 
information relating to the purchase or said information of the first party stored in the 
database to obtain the physical address of the first party to which the good is to be shipped. 

1 75. The system of claim 169 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, and wherein the 
delivery means comprises means for electronically transmitting the file to the proxy 
computer. 
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176. The system of claim 175 including means for transmitting the file to an 
electronic address of the first party which is available at the proxy computer but not to the 
second party. 

177. The system of claim 1 48 wherein the proxy device either redirects the good to 
5 an address designated by the first party using a proxy party who does not provide the second 

party with access to the address designated by the first party, or allows the good to be picked 
up by or on behalf of the first party anonymously. 

1 78. The system of claim 1 77 including means for providing a first label for 
association with the good, the first label having the delivery address and unique information 

10 relating the good and the first party with which the proxy party at the delivery address can 
identify an address designated by the first party to which tiie good is to be reshipped, and 
means for providing a second label that has the address designated by the first party and 
which can replace the first label. 

1 79. The system of claim 1 78 wherein the means for providing a second label 

15 includes a database mapping the unique information and the address designated by the first 
party. 

1 80. The system of claim 178 including means for providing a label for association 
with the good, the label having the delivery address and unique information relating the good 
and the first party, and wherein the proxy software provides the unique information to the 

20 second party. 

181. A system for a first party using a first device to order a good fi-om a second 
party using a second device over a communications network linking the first and second 
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devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 
5 the first computer having identifying information which does not reveal said 

information of the first party; 

the first computer having software which alters information from the first computer 
directed to the second computer to prevent the second party from determining said 
inforrnation of the first party; and 
10 a third party computer providing for approval or disapproval of the purchase of the 

good by the first party from the second party based on financial information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
securing said information of the first party with respect to the second party. 

182. A system for a first party using a first device to order a good from a second 
15 party using a second device over a communications network linking the first and second 

devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to tiie second party, comprising: 
20 a proxy device altering information from the first device directed to the second device 

to prevent the second party from determining said information of the first party; 
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the proxy device providing for approval or disapproval of the purchase of the good by 
the first party from the second party based on financial information relating to the first party, 
and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party. 
5 183. The system of claim 1 82 wherein the first device comprises a first computer 

and the second device comprises a second computer. 

184. The system of claim 183 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both for providing for approval or disapproval of the purchase based on financial information 

10 of the first party, and if the purchase is approved, for providing for payment to the second 
party and debiting of the first party. 

1 85. The system of claim 1 84 comprising at least a third computer communicating 
with the proxy computer for approving or disapproving the purchase based on financial 
information of the first party available to the third party, and if the purchase is approved, for 

1 5 electronically crediting the second party and electronically debiting the first party. 

186. The system of claim 1 85 comprising the third computer providing for payment 
of a fee to the proxy computer for the proxy computer's participation in purchases in which 
the third computer also participates. 

1 87. The system of claim 1 85 comprising the third computer providing for payment 
20 of a fee to the proxy computer for each first computer enabled to purchase from a second 

computer. 
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188. The system of claim 1 85 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
made by first computers from second computers. 

1 89. The system of claim 1 84 comprising a third computer communicating with the 
5 proxy computer to provide for approval or disapproval of the purchase based on financial 

information relating to the first party and a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy computer, 
and if the purchase is approved, the fourth computer electronically crediting of the second 
party and electronically debiting the proxy computer, and the third computer electronically 
10 crediting of the proxy computer and electronically debiting of the first party. 

1 90. The system of claim 189 wherein the third computer debits a credit card 

account of the first party. 

191 . The system of claim 1 89 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for he proxy 

15 computer's participation in purchases in which the third computer or the fourth computer also 
participates. 

1 92. The system of claim 1 89 comprising the third computer or the fourth 
computer, or both, providing for payment of the fee to the proxy computer for each purchase 
by a first party fi-om a second party in which the third party or the fourth party participates. 

20 1 93 . The system of claim 1 89 comprising the third computer providing for payment 

of a fee to the proxy computer for each first computer enabled to purchase from a second 
computer. 
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194. The system of claim 189 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
made by first computers from second computers. 

195. The system of claim 1 89 comprising the fourth computer providing for 
payment of a fee to the proxy computer for enabling the fourth computer to participate in 
purchases made by first computers from second computers, 

1 96. The system of claim 1 95 wherein a proxy computer receives information 
concerning transactions between first parties and second parties including said information of 
the first party, the proxy computer providing certain of said information of the first party to 
the third computer or the fourth computer, or both, beyond information required to provide 
for approval and disapproval of the purchase. 

197. The system of claim 182 wherein the proxy device alters at least a content 
protocol layer of the information. 

1 98. The system of claim 1 82 wherein the communications network is the Internet, 
the first device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 
content protocol layer of said information. 

1 99. The system of claim 1 98 wherein the proxy software filters cookie data. 

200. The system of claim 1 98 wherein the proxy software filters active code. 

20 1 . The system of claim 1 98 wherein the proxy software filters compromising 
procedures. 
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202. The system of claim 183 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both, which alters information from the first computer. 

203. A system for a first party using a first device to order a good from a second 
5 party using a second device over a communications network linking the first and second 

devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

10 a proxy device altering information from the first device directed to the second device 

to prevent the second party from determining said information of the first party; 

at least a third device communicating with the proxy device for approving or 
disapproving the purchase based on financial information of the first party available to the 
third device, and if the purchase is approved, for electronically crediting the second party and 

15 electronically debiting the first party and electronically crediting the proxy device with a 
transaction fee. 

204. The system of claim 203 wherein the first device comprises a first computer, 
the second device comprises a second computer, the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, and 
20 the third device comprises a third computer, the proxy software and the third computer 
cooperating to provide for approval or disapproval of the purchase based on financial 
information of the first party, and if the purchase is approved, the tlurd computer for 
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providing for payment to the second party and debiting of the first party. 

205. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
5 party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; and 

(a) a third device communicating with the proxy device to provide for approval or 
disapproval of the purchase based on financial information relating to the first party, and if 
the purchase is approved, the third device electronically crediting the second party and 
electronically debiting the first party; and 

(b) a fourth device communicating with the proxy device to provide for approval or 
15 disapproval of the purchase based on financial information relating to the first party, and a 

fifth device to provide for approval or disapproval of the purchase based on financial 
information relating to the proxy device, and if the purchase is approved, the fifth device 
electronically crediting the second party and electronically debiting the proxy device, and the 
fourth device electronically crediting the proxy device and electronically debiting the first 
20 party; 

the system being configurable for operation with (a) or with (b). 
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206. The system of claim 205 wherein the first device comprises a first computer, 
the second device comprises a second computer, the third device comprises a third computer, 
the fourth device comprises a fourth computer, the fifth device comprises a fifth computer, 
and the proxy device comprises a proxy computer and proxy software associated with the 

5 first computer or the proxy computer, the proxy software cooperating at least with the third 
computer to approve and disapprove the purchase. 

207. The system of claim 206 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for the proxy 
computer's participation in purchases in which the third computer or the fourth computer also 

10 participates. 

208. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 

15 address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information firom the first device directed to the second device 
to prevent the second party from determining said information of the first party; 

at least a third device communicating with the proxy device for approving or 
20 disapproving the purchase based on financial information of the first party available to the 
third device, and if the purchase is approved, for electronically crediting the second party and 
electronically debiting the first party while securing said information of the first party with 
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respect to the second party; 

and wherein the system is configurable to provide certain of said information of the 
first party to the third device beyond information required to provide for approval and 
disapproval of the purchase. 

5 209. The system of claim 208 wherein the proxy device provides for a delivery 

address to the second party while securing said information of the first party, and including 
means including a shipping device for providing for delivery of the good to the delivery 
address, and wherein the system is configurable to provide certain of said information of the 
first party to the shipping device beyond information required to provide for delivery of the 

10 good to the delivery address. 

210. In a communications system using the Internet which includes client 
computers that access the Internet and transmit and receive messages, the client computers 
and users thereof having information of a personal or private nature specific to a respective 
user or respective client computer, server computers coupled to the Internet accessible by the 

15 client computers for electronic exchange of information, and at least one proxy computer 
coupled to the network which receives and transmits messages over the network and 
communicates with client computers and server computers pVer the Internet, and proxy 
software associated with the client computers, the proxy computer or both, the method of 
securing said information with respect to server computers comprising the steps of examining 

20 messages of client computers to be transmitted to server computers and messages received 
from server computers and altering at least a content protocol layer of the messages to 
prevent server computers firom obtaining said information. 
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211. The method of claim 210 comprising the steps of altering the network protocol 
layer and the transport protocol layer to prevent server computers from obtaining said 
information. 

212. The method of claim 210 wherein altering said information at least at a content 
5 layer comprises filtering cookie data. 

213. The method of claim 210 wherein altering said information at least at a content 
layer comprises filtering active code. 

214. The method of claim 210 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 

10 215. In a communications system using the Internet which includes client 

computers that access the Internet and transmit and receive messages, the client computers 
and users thereof having information of a personal or private nature specific to a respective 
user or respective client computer, server computers coupled to the Internet accessible by the 
client computers for electronic exchange of information, the improvement comprising at least 

15 one proxy computer coupled to the network which receives and transmits messages over the 
network and communicates with client computers and server computers over the Intemet, 
and proxy software associated with the client computers, the proxy computer or both, the 
proxy software examining messages of client computers to be transmitted to server 
computers and messages received from server computers and altering at least a content 

20 protocol layer of the messages to prevent server computers from obtaining said information. 
216. The system of claim 215 wherein the proxy software alters the network 
protocol layer and the transport protocol layer to prevent server computers from obtaining 
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said information. 

2 1 7. The system of claim 215 wherein the proxy software filters cookie data. 

218. The method of claim 2 1 5 wherein the proxy software filters active code. 

2 1 9. The method of claim 2 1 5 wherein the proxy software filters compromising 
5 procedures. 

220. A method for providing a database of a first party's transactions using a first 
device with a second party using a second device to purchase a good over a communications 
network linking the first and second devices, the first party having information of a personal 
or private nature specific to the first party or the first device, the method providing payment 

10 to the second party while securing said information of the first party with respect to the 
second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 

altering information from the first device directed to the second device to prevent the 
second party from determining said information of the first party; 
• 15 providing for approval or disapproval by at least a third party of the purchase of the 

good by the first party fi-om the second party based on financial information relating to the 
first party accessible by the third party, and if the purchase is approved, providing for 
payment to the second party while securing said information of the first party with respect to 
the second party; 

20 providing at least certain communications between the first and the second parties to a 

third device and collecting said data at the third device while securing said information with 
respect to the second party; and 
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providing a database with the collected data which is not accessible by the second 

device or the third party. 

22 1 . A system for providing a database of a first party's transactions using a first 
device with a second party using a second device to purchase a good over a communications 
5 network linking the first and second devices, the first party having information of a personal 
or private nature specific to the first party or the first device, the system also providing 
payment to the second party while securing said information of the first party with respect to 
the second party, comprising: 

proxy software associated with first device or a proxy device or both altering 
1 0 information from the first device directed to the second device to prevent the second party 
from determining said information of the first party; 

a third device coupled to the network providing for approval or disapproval by at least 
a third party of the purchase of the good by the first party from the second party based on 
financial information relating to the first party accessible by the third party, and if the 
15 purchase is approved, providing for payment to the second party while securing said 
information of the first party with respect to the second party; 

means for receiving at least certain communications between the first and the second 
devices and means for collecting data while securing said information with respect to the 
second party; and 

20 means providing a database with the collected data which is not accessible by the 

second device or the third party. 
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222. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second - 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for a delivery address to which the good can 

5 be delivered while securing said information of the first party with respect to the second 
party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 
using a proxy device altering information from the first device directed to the second 
device to prevent the second party from determining said information of the first party; and 
10 using a proxy device providing for approval or disapproval of the purchase of the 

good by the first party from the second party based on fmanciai information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
securing said information of the first party with respect to the second party; and 

allowing more than one first party having unique said information to use the same 
1 5 first device and carrying out the altering step and the approval or disapproval and payment 
steps for purchases by each first party using the same first device while securing the unique 
information of each first party. 

223. The method of claim 222 wherein one of the first parties using the same first 
device has an account with a third party, and wherein the step of allowing more than one first 

20 party to use the same first device comprises providing a subaccount within the first party 
account for each other first party using the same first device. 
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224. The method of claim 223 wherein each first party is identified by different 
secret information, and including the step of the requiring a first party to provide secret 
information specific to that first party to the proxy device before allowing a transaction to 
complete. 

5 225. A system for a first party using a first device to order a good from a second 

party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for a delivery address to which the good can 
be delivered while securing said information of the first party with respect to the second 

10 party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; 

the proxy device providing for approval or disapproval of the purchase of the good by 
the first party from the second party based on financial information relating to the first party, 

15 and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party and allowing more than 
one first party having unique said information to use the same first device and carrying out 
the altering step and the approval or disapproval and payment steps for purchases by each 
first party using the same first device while securing the unique information of each first 

20 party. 

226. The system of claim 225 wherein one of the first parties using the same first 
device has an account with a third party and each other first party using the same first device 
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has a subaccount within the first party account, and wherein each first party is identified Ijy 
different secret information, the proxy device requiring verification of secret informatipn 
from a first party specific to that first party before allowing a transaction to complete. 

227. A method for a first party using a first device to order a good from a second 
5 party using a second device over a communications network linking the first and.second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for delivery of the good and for return of a 
delivered good, if authorized, while securing said information of the first party with respect 
to the second party, comprising the steps of: 
10 the first and second parties communicating over the network using respective devices; 

providing informatipn from the first device directed to the second device for 
communicating with the second device or to order a good while securing said information of 
the first party; 

providing a delivery address to the second party to which the good is to be delivered, 
15 the delivery address not enabling the second party to determine said information of the first 
party; 

providing for delivery of the good to the delivery address; and 
where authorized, providing for return of the good from the delivery address or 
another address while securing said information from the second party. 
20 228. The method of claim 227 wherein the step of providing information from the 

first device directed to the second device while securing said information comprises 
providing proxy identifying information specific to the first party or the first device from 
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which the second party can not determine said information. 

229. The method of claim 227 wherein the step of providing information from the 
first device directed to the second device while securing said information comprises the step 
of altering information from the first device directed to the second device. 
5 230. The method of claim 229 wherein the step of the first and second parties 

communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer. 

23 1 . The method of claim 230 wherein the step of altering information from the 
first device comprises altering information from the first computer using proxy software 

10 associated with the first computer or a proxy computer, or both. 

232. The method of claim 230 wherein the step of providing the delivery address 
comprises using the proxy software to provide the delivery address. 

233. The method of claim 230 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 

15 the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

234. The method of claim 233 including the step of making the good available at 
the physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

20 235. The method of claim 234 including the step of retuming the good from the 

physical facility to a delivery address designated by the second party while not enabling the 
second party to determine said information of the first party. 
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236. The method of claim 234 including the step of providing a physical address 
designated by the first party to the physical facility but not to the second party. 

237. The method of claim 236 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

238. The method of claim 237 including the steps of returning the good to the 
physical facility and from there to a delivery address designated by the second party while 
not enabling the second party to determine said information of the first party. 

239. The method of claim 230 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, the step of 
providing for delivery of the good to the delivery address including the second party 
providing for elecU-onic transmission of the file to the proxy computer. 

. - 240. The method of claim 239 including the step of returning the good from the 
electronic address of the proxy computer to an electronic address designated by the second 
party, or alternatively destroying the file, while not enabling the second party to determine 
said information of the first party. 

24 1 . The method of claim 239 including the step of the proxy computer transmitting 
the file to an electronic address of the first party which is available to the proxy computer but 
not to the second party. 

242. The method of claim 24 1 including the steps of returning the good to the 
electronic address of the proxy computer and from there to an electronic address designated 
by the second party, or alternatively destroying the file, while not enabling the second party 
to determine said information of the first party. 
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243. The method of clam 228 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address associated with the proxy identifying 
information of the first device, the step of providing for delivery of the good to the delivery 
address including the second party providing for electronic transmission of the file to the 

5 electronic address of the first device. 

244. The method of claim 227 includihg the step of providing for approval or 
disapproval of the purchase of the good by the first party from the second party based on 
financial information relating to the first party, and if the purchase is approved, providing for 
payment to the second party while securing said information of the first party with respect to 

10 the second party. 

245. The method of claim 244 the good is a physical good and the delivery address 
is the address of a physical facility, and wherein the step of providing for delivery of the 
good to the delivery address includes the second party providing for physical shipment of the 
good to the physical facility. 

15 246. The method of claim 245 including the step of making the good available at 

the physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

247. The method of claim 246 including the step of returning the good fi-om the 
physical facility to a delivery address designated by the second party and crediting the first 

20 party for the return while not enabling the second party to determine said information of the 
first party. 
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248. The method of claim 246 including the step of providing a physical address 
designated by the first party to the physical facility but not to the second party. 

249. The method of claim 248 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

5 250. The method of claim 249 including the steps of returning the good to the 

physical facility and from there to a delivery address designated by the second party and 
crediting the first party for the return while not enabling the second party to determine said 
information of the first party. 

25 1 . The method of claim 244 wherein the good is an electronically transmittable 
10 file and the delivery address is an electronic address of a proxy computer, the step of 

providing for delivery of the good to the delivery address including the second party 
providing for electronic transmission of the file to the proxy computer. 

252. The method of claim 25 1 including the step of returning the good from the 
electronic address of the proxy computer to an electronic address designated by the second 

15 party, or alternatively destroying the file, while not enabling the second party to determine 
said information of the fvrst party. 

253 . The method of claim 25 1 including the step of the proxy computer transmitting 
the file to an electronic address of the first party which is available to the proxy computer but 
not to the second party. 

20 254. The method of claim 253 including the steps of returning the good to the 

electronic address of the proxy computer and fi-om there to an electronic address designated 
by the second party, or alternatively destroying the file, and crediting the first party for the 
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return while not enabling the second party to determine said information of the first party. 

255. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
5 party or the first device, the system providing for a delivery address to which the good can be 
delivered while securing said information of the first party with respect to the second party, 
comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; and 
10 the proxy device providing a delivery address to the second party to which the good is 

to be delivered, the delivery address not enabling the second party to determine said 
information of the first party. 

means for providing for delivery of the good to the delivery address; and 
where authorized, means for providing for retum of the good from the delivery 
15 address or another address while securing said information from the second party. 

256. The method of claim 1 or 22 including the steps of providing for physical 
delivery of a physical good to the delivery address and providing for tracking of the good 
during delivery. 

257. The system of claim 112 or 127 including means for providing for physical 
20 delivery of a physical good to the delivery address and means for providing for tracking of 

the good during delivery. 
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258. The method of claim 227 including the step of providing for tracking of the 
good during delivery. 

259. The method of claim 227 or 258 including the step of providing for tracking of 
the good during return. 

5 
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1 . First party transmits an order to the proxy party 

2. Proxy party requests credit approval of first party 

3. Third party approves credit of first party 

4. Proxy party passes order and its accovint information to second party 

5 . Second party requests credit approval of proxy party 

6. Third party approves credit of proxy party 

7. Second party ships good 

8. Third party credits second party 

9. Third party debits first party 

(Credits or payments between parties are not shown except 
for the credit to the second party) 
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1 . First party transmits an order to the proxy party 

2 . Proxy party requests credit approval of first party 

3 . Third party approves credit of first party 

4. Proxy party passes the order and its account information to second party 

5. Second party requests credit approval of proxy party 

6. Fourth party approves credit of proxy party 

7. Second party ships good 

8. Fourth party credits second party 

9. Fourth party debits third party 

1 0. Third party debits first party 

(Credits or payments between parties are not shown except 
for the credit to the second party) 
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Second party requests credit approval of first party 
Third party approves credit of first party 
Second party ships good 
Third party credits second party 
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ELECTRONIC PURCHASE OF GOODS OVER A COMMUNICATIONS NETWORK 
INCLUDING PHYSICAL DELIVERY WHILE SECURING PRIVATE AND PERSONAL 

INFORMATION 

BACKGROUND OF THE INVENTION 

The invention disclosed herein relates to transactions over a communications network 

between first and second parties, including ordering of a good and/or delivery of the good 

and/or payment for the good while securing private and personal information specific to the 

first party or the network device used by the first party with respect to the second party and 

unauthorized parties, i.e., others who may or may not be parties to the transaction. Such 

information may include the first party's identity, financial information (where a purchase is 

involved) and address. The first party may be a consumer or retail customer and ttie second 

party may be a merchant or retailer. The good may be delivered to a physical address or 

electronic address designated by the first party or to a physical depot for pick-up by the first 

party, while providing complete anonymity of the first party with respect to the second party. 

"Communications network" is meant in a broad sense, and may include any suitable 

technology for information transmission, including electrical, electromagnetic and optical 

technologies. Such a network may include a computer or computers associated with the first 

party, a computer or computers associated with the second party and/or a computer or 

computers associated with the network. Such a communications network may link 

computers, e.g., a LAN or WAN. Although the invention has particular application to an 

open network such as the Internet, it may also be used in other networks, internets and 

intranets. Therefore, while much of tiie following description makes specific reference to the 
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Internet, it is to be xmderstood that there is no intention to limit application of the invention to 
the Internet and that the invention has. application to any suitable network- Further, while the 
invention is primarily directed to the ordering and/or purchase and physical delivery of goods 
from retailers selling electronically over a network, it also applies to the ordering and/or 
purchase of goods that may be delivered electronically and to the purchase and delivery of 
services that result in a deliverable. 

The growth of electronic commerce (e-commerce) over the Internet has been 
explosive, and expectations are that such growth will continue. However, the Internet as an 
open network provides opportunities to legally and illegally collect and use vast amounts of 
information which people consider private and personal, and concerns over privacy, fraud 
and security online could inhibit the continued explosive growth of business-to-consumer 
electronic commerce. Currently, shopping, browsing or other information-sharing activities 
on the Internet exposes users to unwanted collection of their private and personal 
information, from which their identities, activities, behaviors and preferences can be 
ascertained. Many people are fearful that someone may be watching their every move when 
they interact on the Internet, and that somehow information collected by such persons will be 
used to their disadvantage, from outri^t theft using credit card information to imwanted 
intrusions from marketers in the form of "spam" email, and other intrusive activities. (See, 
e.g., 1999 National Consumer League: Consumers and the 21^^ Century, New York: Louis 
D Harris & Associates, Inc., 1999). 

In fact, information on the Internet is currently being captured from mouse clicks 
made on a Web browser by a user, and from information transmitted by a user to a Web site. 

2 
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This information can be processed, for example, to electronically profile users, and used or 
sold, depending upon the data collector's privacy policy. Intemet users are becoming aware 
of the relative ease with which parties may obtain their private and personal information and 
are concerned about the gathering of such information and the potential for its distribution. 
They are also concerned about interception of credit card numbers and other financially 
related data. 

As a result, many people, fearful of providing their private and personal information, 
are restricting their use of the World Wide Web. This may be manifested by potential users 
seldomly accessing the Intemet, by users cautiously not submitting or clicking anything of a 
private or personal nature, and by users not entering into e-commerce transactions, any of 
which of course inhibits e-commerce and development of the full potential of the e- 
commerce marketplace. 

Since most business-to-consumer transactions conducted over the Intemet involve the 
use of credit or debit cards, and consumers are protected by the legal limits on liability for the 
xmauthorized use by third parties of their cards, the parties most concerned about security and 
fraud prevention have naturally been the banks, credit card companies and merchants which 
must bear the cost of fraudulent transactions for which their card holders are not legally 
liable. Encryption of credit card and other data transmitted over the Intemet helps banks and 
credit card companies protect against unauthorized use of credit cards. 

Nonetheless, despite the limitations on their legal liability described above, a great 
number of consumers remain hesitant about electronic commerce. Their concerns include 
questions about whether the merchants doing business in electronic commerce actually exist 

3 
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outside of "cyberspace/* whether they will misuse credit card, private and personal 
information provided to them, whether they will correctly and honestly fulfill orders, honor 
product warranties and retum-for-credit guarantees, and the like, (See G. Gray and R. 
Debreceny, The Electronic Frontier, 185 Journal of Accountancy 32-37, May 1998.) 

To complete an electronic transaction in current and emerging e-commerce, one or 
more of the parties to the transaction must pass private and/or personal information to 
another party. For example, in the transaction represented in Fig, 1, a first party customer 
(consumer) submits an order for a good in step 1.1 to a second party merchant (retailer) using 
a WWW form. The second party merchant in step 1 .2 requests credit authorization for the 
transaction with a respective credit card clearing entity. Upon authorization of the 
transaction by the credit card clearing entity (step 3), the merchant confirms the transaction 
with the customer (step 1 .4) and then provides for transfer of the good to a shipper (step 1 .5) 
who delivers it to the customer (step 1.6). These different steps involve transfer of private 
and/or personal information among the parties. The customer provides credit card 
information and a shipping address to the merchant. The merchant passes the credit card 
information and the sum of the transaction to the credit card clearing entity. The merchant 
may also pass identification of the purchased good or service to the credit card clearing 
entity, at least in cases where the credit card clearing entity provides or extends product 
warranties or another service which require an identification of the good. Tlie merchant 
provides for transfer of the good to a first party's shipping address usually in the name of the 
first party which are both provided to the shipper. 

4 
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Additionally, underlying communication protocols and systems may provide 
additional private and/or personal information. The customer's computer has an identifjdng 
IP address used to route data packets to the merchant computers or servers. This IP address 
is often monitored by unknown parties and merchant systems, and incorporated in databases 
to enable the merchant and others to identify the customer as soon as the customer accesses 
services in the ftiture. Over time, merchants (and others) collect such private information and 
share it with various entities compromising consumer privacy. 

These databases are provided or bought and sold among organizations and companies 
who may then correlate this information along with other information producing larger 
databases that store very detailed history of the user's activities and behaviors, often without 
user's being aware of this activity. Users' histories are thus correlated over time often using 
their transactions that are linked to. their true identity. 

Tools have been developed to address privacy and security concerns of Internet users. 
(See, for example, the February, 1999 issue of Communications of the ACM, Vol. 42. No, 2.) 
One approach developed to help protect fee identity of Internet users which allows them to 
surf the Web anonymously utilizes anonymizing agents, which prevent a user's IP address 
from reaching a Web site. This approach requires that fee users trust fee anonyimzing agent. 
Some of feese tools enable Internet users to insert pseudonyms into Web forms, so feat users 
can anonymously return to fee same site as the same user. Different pseudonyms can be 
provided for different Web sites. Examples of anonymizing (and pseudonym) agents 
include: "The Anonymizer'' (www.anonymizer.com); "Lucent Personalized Web Assistant" 
(LPWA) (www.bell-labs.com/project/lwpa); Novell Directory Services (NDS) "digitahne"; 
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Zero Knowledge System's "Freedom" (www.zeroknowledge.com); Privs^eek's 
"PersonaXpress" (www.privaseekxom and www.personaxpress.Gom). 

Another approach, which does not require an anonymizing agent, ranclpmly routes 
requests to a Web site through numerous users without shielding the IP address of any of the 
users so that neither the destination Web site nor any user (or intermediate node) through 
which the request was routed can determine the IP address of the originating user. Examples 
of tools which provide anonymity in this way include: "Crowds" 

(www.research.att.com/projects/crowds); and "Onion Routing" (www.onion-router,net). 

In addition, a privacy seal program has been instituted by a non-profit organization, 
TRUSTe. Display of the TRUSTe "trustmark" by member Web sites requires that they 
adhere to established privacy principles and agree to comply with ongoing TRUSTe 
oversight and consumer resolution procedures, including: adoption and implementation of a 
privacy policy that takes into account consiraier anxiety over sharing personal information 
online; notice and discloswe of the Web site's information collection and use practices; and 
the opportunity for users to exercise control over their iirformation. 

European Patent Application Publication EP 0 855 659 Al of Lucent Technologies 
Inc. describes a proxy system that allows anonymous browsing on the Intemet. The proxy 
system substitutes identifiers in browsing commands received from a user which would 
identify the user, and filters other information (e.g., HTTP Header fields) associated with 
> browsing commands that would allow server sites to determine the true identity of users. 
The substitute identifiers are site specific, and are consistently used so that a server site 
recognizes a returning user and may provide personalized service, and so that the proxy 
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system is transparent to server sites. The proxy system may perform all fiinctions within a 
central proxy system, or some functions in a peripheral proxy system (e.g., at a user site) and 
some in a central proxy system. The proxy system may provide its own credit card number 
or an alias credit card number to a requesting site and collect money from its users. 

U.S. Patent No. 5,794,221 discloses an Internet billing method in which an ISP 
through agreement with customers and vendors pays vendors and collects from customers for 
products and services purchased by the customer over the Internet without the need for the 
customer to transmit credit information to the vendor. While the method improves security 
of the financial aspect of a transaction, the customer browses in the usual wa.y and the 
method does not provide for customer anonymity. 

Examples of systems and methods for anonymous and/or secure Internet 
communications arid transactions are disclosed in U.S. Patent Nos. 5,420,926, 5,557,518, 
5,729,594 and 5,815,665, Japanese Patent Application Publication 10-320646 dated April 12, 
1998, and WIPO International Publication No. WO 97/26612. 

As shown in Fig. 1 and discussed above, purchase of a good over the Internet requires 
delivery of the good, which in turn requires a postal address. Postal addresses today are 
maintained on numerous databases, many of which are available from a number of 
commercial sources. Address matching software is likewise commercially available. Hence, a 
first party's postal address can be sufficiently revealing of personal identity that without some 
means of hiding address information from a second party, any effort by a first party to remain 
anonymous or unknown to the second party cannot be guaranteed. Although this problem 
has been recognized, to the knowledge of the mventors it has not been addressed, and there is 
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no e-commerce system which allows a first party to electronically purchase a good from a 
second party while not only securing the identity of the first party, but also the first party's 
postal address. The use of post office boxes, discussed below, is an improvement, but not a 
solution. 

As represented in Fig. 2, shipping involves at least three participating entities: a 
sender —an entity that wishes to deliver a good, who can be a merchant, vendor, retailer or 
provider of the good; a recipient — a target entity to receive the good— who can be a 
customer or purchaser or orderer of the good; and a shipper — an entity that transports the 
good from the sender to the recipient. In a typical Intemet transaction involving shipping, 
the sender provides identification of the recipient and the recipient's address to the shipper in 
order for the shipper to deliver the good to the recipient. The recipient must initially provide 
data on his, her or its identity and address to the sender or the shipper or both. This data may 
be collected, analyzed and correlated with other data to compromise the privacy of the 
recipient. 

The need for private shipping has been known for a long time and is currently 
addressed through the use of a post-office box (POB), or its variants. A recipient can use a 
POB to hide his, her or its identity from a sender. A recipient must however disclose his, her 
or its identity to the POB operator (e.g., the post-office (shipper), or private operators) — 
which functions as a trusted entity— once, and then uses the POB to protect the recipient's 
identity from the sender. 

There are several drawbacks to the use of POB techniques in providing privacy-protected 
shipping for electronic commerce. 
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1 Pr>>-.rr^n ped relationship: a POB requires the recipient to first arrange for a mailbox 
with the POB provider. This restrictive requirement discourages use by persons or 
entities who occasionally desire privacy. POB is typically used for other reasons and 
for mass market privacy-protected distribution applications. 

2 Pr>.-allncated space: the provider of a POB service pre-allocates storage space for the 
mailbox owner and charges each mailbox owner a storage fee. This restrictive 
requirement also discourages use by persons or entities who occasionally want 
privacy. 

3 TnRhilltv to handle returns: a POB provides one-way privacy protection. If the 
recipient wishes to return the good in a verifiable way, the recipient must disclose his, 
her or its identity and association with the POB. 

4. TMnn- provabilitv of delivery: in a dispute concerning a lost package, the shipper 
cannot prove that a package was actually delivered to the recipient. 

5 rnnrdinated cd ^ prf^hensive p rivacv protection: shipping is only part of a commerce 
transaction through which a purchaser exchanges information with a vendor to 

purchase and obtain the good. To protect privacy, one needs to assure that no private 
data is transmitted through the entire transaction, POB shipping does not 
accommodate simple or obvious mechanisms that may be coordinated with other 
elements of the transaction to assure privacy. 

6 Rm ole-failure co m pmmisabilitv: the privacy of a POB owner can be compromised 
through a single incident of correlating tiie identity of the owner with the mailbox 
number. 

There is thus a need to protect private and personal information, particularly of first party 
users (purchasers, consumers, etc.) and provide security in e-commerce transactions, 
particularly where delivery and/or purchase of a good is involved. 

OBJECTS AND SUMMARY OF THE INVENTION 
It is an object of the invention to provide communication over a communications 
network, particularly an open network, witii improved privacy protection for users of tiie 
network. 
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It is another object of tibie invention to reduce the unwanted collection and/or 
dissemination of information related to users of a communications network, particularly an 
open communications network. 

It is another object of the invention to provide for the electronic order or purchase of a 
good over a communications network by a first party from a second party while securing the 
private and personal information of the first party with respect to the second party and 
unauthorized parties, i.e., others who may or many not be parties to the transaction. It is 
another object to provide for the delivery of the good while securing the private and personal 
information of the first party with respect to second party and unauthorized parties. It is 
another object to provide for return of the good while securing the private and personal 
information of the first party with respect to the second party and unauthorized parties. It is 
another object to provide for payment of the good while securing the private and personal 
information of the first party with respect to the second party and unauthorized parties. It is 
another object to also provide for electronic tracking of delivery while securing the first . 
party's private and personal information from unauthorized parties. 

It is another object of the invention to reduce fraudulent purchases in e-commerce 
transactions which use a communications network. 

It is another object of the invention to provide for the credit processing aspects of an 
e-commerce transaction conducted over a communications network while securing private 
and personal information of the purchaser with respect to unauthorized parties (e.g., identity, 
address and bank and credit account information, etc.). 
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It is another object of the invention to provide for shippmg of a good ordered 
electronically over a communications network to the party that ordered the good while 
securing private and personal information of the party that ordered the good with respect to 
unauthorized parties. 

It is another object of the invention to share information relating to electronic 
purchases of goods by purchasers from vendors, retailers or merchants and provide a 
database for the purpose of determining the performance of the vendors, retailers and 
vendors. 

It is another object of the invention to gather information about electionic transactions 
and purchases that does not include private and personal information of purchasers, but 
includes other information about tiie transaction, including information about the good, its 
price, and the identity of the electronic vendor. It is another object to provide a database 
which stores such information such that purchasers are anonymous in the database. 

It is anotiier object of the invention to provide a system and software for the electi-onic 
purchase of a good over a communications network which secures private and personal 
information of the purchaser with respect to unauthorized parties, and provides for electronic 
payment to the electronic vendor without an operator or provider of the system and/or 
software being liable to tiie merchant for payment on behalf of the purchaser. It is another 
object of the invention to provide the operator or provider a fee for this service. 

It is another object of the invention to provide such a system and software for the 
electronic purchase of a good over a communications network which can be selectively 
configured to provide certain transaction information to parties of the transaction while 
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securing the first party's private and personal inforaiation with respect to the second party 
and unauthorized parties. 

It is another object of the invention to provide improved filtering of information from 
network users (e.g., fu:st party purchasers, etc.) to prevent others on a network from, obtaining 
private and personal information of users. 

It is another object of the invention to protect private and personal information of 
network iisers making electronic purchases over a network while providing flexibility to 
accommodate multiple \asers per network device and per bank or credit card account. 

It is another object of the invention to protect private and personal information of 
network users making electronic purchases over a network while providing flexibility to 
accommodate one, or more than one, bank or credit card entity, and to permit such flexibility 
on a per user or per transaction basis. 

Unless otherwise indicated expressly or by context, "good" encompasses a 
deliverable, including a physical good, an electronic or virtual good and a service which 
provides a physical, electronic or virtual deliverable. The terms "user", "purchaser", 
"cmtomer", "consumer", "recipient" and "orderer" are used interchangeably unless indicated 
otherwise expressly or by context, and are encompassed by the term "first party" (to an 
electronic transaction). Similarly, the terms "vendor", "retailer", "merchant" or "provider" 
or "sender" of a good, are used interchangeably unless indicated otherwise expressly or by 
context, and are encompassed by the term '^second party" (to the electronic transaction). 

Securing information of a private or personal natiire of a first party or specific to a 
first party and/or the device or computer used by the first party means preventing other 
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parties (who may or may not be parties to a transaction or communication involving the first 
party), typically at least the second party, from obtaining such information as may be 
generated, transmitted, stored or collected in a transaction and from which another party may 
learn the private or personal information of the first party. Such private or personal 
information may include: an identity which may be a true physical and/or true electronic 
identity of the first party and/or a computer or device used by the first party; an address 
which may be a true physical and/or true electronic address of the first party or the computer 
or device used by the first party; and/or other information relating to the first party such as 
social security number, driver's license number and bank and/or credit account information. 
Such information may be derived from multiple collections stored and provided by multiple 
parties and shared, linked and/or merged to reveal personal and private information and 
behavior of the user over time. 

The invention disclosed herein achieves the above and other objects, and provides for 
users of a communications network, such as the Internet, to communicate, and/or order, 
and/or obtam and/or receive, and/or purchase and/or charge or electronically pay for 
deliverables using the network, while securing such information of a private or personal 
nature of the users with respect to unauthorized parties, and providing improved protection 
against fraud. In accordance with the invention, communications and/or a transaction can be 
carried out between a user or first party, typically a consumer, or a prospective or actual 
purchaser or customer, and a second party, typically a merchant, retailer or vendor, over a 
co mmunications network li nkin g the GisLa s^^^nA nf^rtips, in which information is 
provided and/or a good is ordered, and/or purchased and/or paid for and/or delivered, while 
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securing such information of the first party with respect at least to the second party. The 
invention provides methods, systems and software for doing this and other things. 

The terms "provides for" and "providing for" are meant in a broad sense, and 
encompass a party or device directly or indirectly, alone or with or through one or more other 
parties or devices, effecting the specified action(s), function(s), task(s), etc. 

Depending upon the embodiment and the cominunications network, the parties may 
use computers or other devices to communicate and provide for payment and physical or 
electronic delivery. (The term "computer" is also used in a. broad sense, and includes devices 
which operate or include a component that operates in accordance with a stored set of 
instructions, includmg PCs, microcomputers, microcontrollers. A hard-wired device such as 
a ^te array thou^ not teclinically a computer may be considered to be a computer or the 
equivalent of a computer as that term is used herein depending upon the function(s) 
performed by tiie hardrwired device. For ease of description and claiming, "computer" 
should be interpreted to include such other devices and instruments and such hard-\wred 
devices.) 

In accordance with the invention, delivery of a physical good may be made to a 
physical address of a physical facility designated by the first party which may be a depot for 
pick-up anonymously by or on behalf of first party, or a second or last address while secviring 
private information of the first party at least with respect to the second party. The first party 
may designate any appropriate physical address (e.g., residence or business), mcluding an 
address related to another party, e.g., a friend or a party to whom the good is delivered as a 
gift. In accordance with the invention, an electronic good may be delivered to an electronic 
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address designated by the first party while secviring the private and personal information of 
the first party with respect to other parties. 

In one embodiment, a user or first party may communicate over the network with a 
second party, using a proxy. The proxy may provide a different identity for a user for a set of . 
communications (e.g., browsing) or for each transaction. Thus, the user has a different 
identity each time it establishes communication with a second party or for each transaction. 
For example, the P^oyiY^^^jas^aj^^ue session niraiber (#F) generated by the proxy for 
each transaction t o provide a u nique alphanumeric^name^atj^ to the second party 

vendors. In a sense, the proxy party is anonymized or privatized vis a vz^ the second party. 
Also, vendors will not be able to cornpile any use history on any user since new or unique 
proxy identities generated automatically cannot be linked with other transactions over time. 

Alternatively, the proxy may provide the same identity for a user for all 
communications and transactions. In this embodiment, the proxy can provide a user name 
which is a function of a unique name or proxy identifier (I) of each user and the proxy's 
identity (public identity) (P) for each transaction. This user name is the same for each user 
for all transactions and communications for all vendors. This, a user history may be 
compiled by vendors and others for a user who is anonymous to them. 

The proxy may also alter information from the first p£irty directed to the network or 
the second party so that the second party can not ascertain the first party's private and 
personal information. The proxy may also provide for payment and/or delivery of an ordered 
identity. The proxy may or may not know the tme identity of the first party, or any private or 
personal information of the first party. 
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The proxy provided by the embodiments of the invention described immediately 
above differ from the proxy system disclosed in the European patent application of Lucent 
referenced above (EP 0 855 651 Al) because in one case the identity of the user changes with 
each transaction or browsing or shopping session so that each transaction appears to involve 
a different party without a repeat transaction from any party, and in another case the identity 
of a particular user is the same for all transactions (browsing, shopping, etc.) with all 
vendors, while in the published Lucent European patent application the identity of a 
particular user with a particular Web site is the same for all communications and transactions 
with that Web site and different for oth er Web sit es. 

In another embodiment a proxy is not required, unlike the proxy system disclosed in 
the referenced Lucent European patent publication. In this embodiment, the user (first party) 
is provided a transacting (or commimicating) identity not the true identity of the user, which 
is revealed to the second party but from which the second party (and unauthorized parties) 
can not ascertain private or personal information of the first party. Second parties and others 
can not link the true identity or other private or personal information to the first party (or the 
first party's equipment) with the transacting identity. Thus, all communications from the 
first party appear to others to be from a party with an identity of the transacting identifier. 
Only the party providing the first party with the transacting identity can link the true identity 
of the first party with the transacting identity. Where a purchase is involved, the bank or 
credit clearing entity stores information linking the true identity of the user and the 
transacting identity. This embodiment may also provide for altering information from the 
first party directed to the network or the second party to prevent the second party from 
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ascertaining the first party's private and personal information. The bank or credit card 
clearing entity generates these transacting identities for all customers who use the inventive 
system and method, and provides a database linking the transacting and true identities. When 
a retailer provides the bank or credit card clearing entity with a transacting identity, they link 
to tiie true identity to process the transaction. For an Internet application, users may also use 
the togiisacting identity t^^ browse, subscribe to an ISP and/or to obtain telephone service for 
accessing the Internet. T hus, only the bank or credit card clearing entity will know the true 
id entity of the user. In this embodiment, the bank or c redit card company performs some of 
the functions of the proxy described in other embodiments. 

In the embodiment which does not require a proxy, a proxy may be provided for the 
purpose of collecting and storing transaction information for safe keeping and possible later 
use, e.g., in the case of non-receipt or return of an ordered good, or a dispute on payment or 
price, etc. The proxy may expire identifiers and/or user names similar to the manner in 
which credit card company's expire credit cards. This will tentninate the history that a vendor 
has with a particular user and preyent vendors firom maintaining long tenn preferesnces for 
any user. The e3q)iration cycle for the identifiers and user names niay be linked to (e.g., the 
same as) the expiration date of a user's credit card. Expiring identifiers and user names on 
the same cycle as user credit card numbers, or more frequently such as after each transaction 
.may be also used as a fraud prevention measure. 

In the preferred embodiments, a first party, having information of a personal or 
private nature specific to the first party or a first device used by the first party, orders a good 
from a second party over a conamunications network. A delivery address to which the good 
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can be delivered is provided over the network to the second party while securing said 



information of the first party with respect to the second party. Information from the first 



party directed to the second party for conrmiunicating with the second party or to order a good 



is provided while securing said information of the first party as indicated above. 

The first and second parties conmiunicate with each other over the network using 
devices or computers, e.g., PCs. In the embodiment which uses a proxy, the proxy may be 
or utilize a proxy device, typically a computer or computers, and/or proxy software 



computer server. 

Proxy software includes software executed by devices or computers used by the first, 
parties and/or software executed by one or more proxy devices or computers. A proxy 
system includes the projQ^ software, one or more devices or computers for executing the 
proxy software, and may include other elements as disclosed herein. "Proxy software" and 
"proxy system" sometimes overlap and are sometimes used interchangeably as the context 
will indicate. Preferably, information from the first p arty directed to the seco nd party or the 
network is altered using software associated with a first device used by the first party or a 
pro xy device, or b oth. In this embodiment, this software provides the delivery address to the 
second party. The proxy software may be executed by a central proxy device to provide the 
delivery address to the second party from stored information. In the embodiment that does 
not require a proxy, the delivery address is provided by the first party device. 

As mentioned, the good may be a physical good and the delivery address is a physical 
address of a physical facility, where the good is physically delivered. The delivery address 




associated with a user device typically a computer (PC) and/or a proxy device, typically a 
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may be that of a depot, where the good may be made available for pick up by or on behalf of 
the first party in a manner which does not require said information of the first party to be 
revealed at the physical facility. Altematively, delivery to a physical address, which may not 
secure said information of the first party, desigiiated by the first party . may be provided for by 
delivering first to a first physical address (e.g., a depot), without revealing the private and 
personal information of the first party to the second party and unauthorized parties, and then 
trans-shipping to a second or last physical address designated by the first party but not 
revealed to the second party. The first physical address, given to the second party, does not 
reveal the private and personal information of the first party. Although the second physical 
address may reveal such information, it is made known at the first physical address and not 
given to the second party. Alternatively, the delivery address may be a proxy address that 
does not reveal the true physical address of the first party and that niay be converted or 
mapped by a shipper to the true physical address to which the good is to be delivered as 
designated by the first party. Shipment to the first delivery address may be referred to as a 
"first hop" shipment, and shipment to the second physical address designated by the first 
party may be referred to as a "second hop" or "last hop" shipment. 

The good may also be an electronically transmittable file and the delivery address an 
electronic address of a proxy, or an eleclronic address of a first party having a transacting 
identity that does not reveal said private and personal information of the first party. In either 
case, electronic delivery to the respective electronic address does not reveal said information. 
The file is electronically transmitted to the proxy or the first party. If the file is electronically 
transmitted to the proxy, the file is then transmitted to an electronic address of the first party, 
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which may not secure said information of the first party, and which is available to the proxy, 
but not to the second party. If transmitted to the first party, the electronic address is a 
transacting address which does not reveal the private or personal information of the first 
party, as discussed above with respect to a transacting identity. 

Provision may be made, with or without a delivery provision, for approval or 
disapproval of a purchase of a good by a first party from a second party based on financial 
information relating to the first party, and if the purchase is approved, provision may be 
made for payment to the second party while securing said information of the first party with 
respect to the second party. Information from the first party directed to the network or the 
second party is secured as described above. 

Approval or disapproval may comprise another party providing for approval or 
disapproval of the purchase based on financial information relating to the first party, and . 
pajonent (e.g., crediting an account) may be provided to the second party, if the purchase is 
approved, by other party who also provides for debiting the first party. The other party may 
be a third party who approves or disapproves of the purchase based on financial information 
relating to the first party, and who also pays (credits) the second party and debits the first 
party if the purchase is approved. 

The other party may arrange with at least a third party to provide for approval or 
disapproval of the purchase based on the financial information relating to the first party, and 
if approved the other party arranging with at least the third party to provide for payment to 
the second party and debiting of the first party. 
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In the embodiments described herein, the other party may be the proxy, or a bank or 
credit clearing entity. In the proxy embodiment, the other party may be a proxy party and 
may use proxy software associated with the first party's first device or a proxy device, or 
both, to provide for payment to the second party and debiting of the first party. The .proxy 
can do this directly, or through at least one third party. 

Approval or disapproval by a third party may be provided using a third device 
communicating with the proxy software which also provides for crediting the second party 
and debiting the first party if the purchase is approved. 

In the embodiment that does not require use of a proxy, the party providing the 
transacting identity may be a bank or credit card company which may also provide the first 
user with an account which also can not be linked to the true identity of the first party. A 
second party merchant simply forwards the transacting identity and account number to the 
bank or credit card company, which has a database linking tme identities and true accoimts to 
the transacting identities and accounts. The bank or credit card company credits the 
merchant and debits the true account of the transacting first party. In this embodiment, the 
first party provides a delivery address to the second party, and delivery is otherwise treated as 
described above. 

The invention is applicable to payment via a credit card or other means, e.g., e-cash or 
other component of an electronic wallet. A transaction fee or service charge may be levied 
for the transaction, similar to the fee levied in a credit card transaction. Part of the fee may 
be paid to a proxy operating or otherwise associated with use of the invention or a proxy 
system, etc. Netting and settling among the first, second, proxy and other parties involves 
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crediting and debiting various accounts for the purchase price of the good and all or parts of 
the service charge. The fee may alternatively be a subscription or sign-up fee which enables 
a party to participate in purchases. The fee may be periodic and fixed for each period, or 
based on the volume or dollar amount of purchases, etc. 

In one embodiment, a third party approves the credit of the first party purchaser, 
credits the second party vendor and debits the first party purchaser. In this embodiment, the 
proxy may or may not have an account with the third party, and the proxy need not be 
actively involved in credit approval and need not be financially responsible for payment to 
the second party iand collection from the first party. 

In another embodiment, two parties in addition to a proxy party are involved in the 
approval and payment processes. For example, a third party approves the credit of a first 
party and electronically credits a proxy party and electronically debits the first party, and a 
fourth party approves credit of the proxy party and electronically debits the proxy party and 
electronically credits the second party. Here the fourth party approves or disapproves the 
transaction based on the proxy party's account with the fourth party, and the proxy party 
imdertakes financial responsibility. Alternatively, the proxy party's participation (and 
financial liability) in settling the transactions may be eliminated, and the third party debits 
the first party and credits the fourth party, who debits the third party and credits the second 
party. The approvals in this variation are as follows. The third party approves the credit of 
the first party and the fourth party approves the credit of the third party. In this embodiment, 
as above, the accounts can be credit card accounts, and also a fee is paid to the proxy party, 
which can come from both the third party and the fovirth party. 
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In one embodiment, a system implementing the invention described above may be 
configurable, e.g., on a user or other party basis or on a transaction basis, for operation using 
a third party, or a third party and a fourth party in addition to the proxy party for the financial 
procedures described above. In still another embodiment, systems implementing the 
invention described above may be configurable for operation with various parties haying 
access to or being provided with various information, with the exception that the first party's 
private information remains secured with respect to the second party. 

As pointed out above, the first party's private information is withheld frpm the second 
party and from any unauthorized party, but may be provided to authorized parties. For 
example, depending upon the embodiment, the first party's credit card company (a third or 
fourth party) could be provided with price information only, with price and good information 
only, or with price, good and second party vendor information. A shipper making a last hop 
delivery of a good to a first party would of course know the delivery address and perhaps the 
identity of the first party. The identities of the good and the second party where these appear 
on the outside of a package containing the good or in a shipping record may also be known to 
the shipper. However, in those cases, which are expected to be minimal, the shipped good 
can be repackaged or wrapped, or the last hop delivery may be made by a shipper who is 
authorized by proxy software or is part of the proxy system. 

The first party's identity and credit card number are not transmitted between parties, 
and therefore such information is protected and not available to unauthorized parties as part 
of the transaction. In tiie proxy embodiment, the first party's account information is not 
transmitted to the proxy, and the proxy transmits proxy account information to the second 
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party, not first party account information. The proxy need not have the true account 
information of the first party, but identifying information by which a third party can link to 
the first party's accoimt. In the embodiment that does not require a proxy, a transacting 
account, not a true account is transmitted to the second party. 

Thus, the invention allows private and personal information to be withheld firom the 
second party, and allows the first party to. conmiunicate with the second party via the 
communications network without revealing the user's identity and location or address. This 
provides complete anonymity to the first party vis a vis the second party. With specific 
respect to the Internet, given the existing capability in the communication, transaction 
processing and credit processing chains for accumulating and distributing information . 
relating to an Internet user's identity, preferences, etc., the complete anonymity that use of the 
invention provides to Internet users should allay their fear of conducting e-commerce over r 
the Internet, or any open computer network. Further, authorized parties who use the t 
invention, for example credit card companies and banks, will have a powerfiil tool to expand 
use of their credit cards and to attract new members, and prevent firaudulent use. 

- In the preferred embodiment, the invention is implemented on the Internet (although 
the invention is not so limited), and comprises information-processing modules (hardware, 
and software) which permit Internet users (first parties) to browse and search the Internet 
anonymously, order or purchase goods fi-om second parties online anonymously, and have 
them delivered anonymously (at least with respect to the second parties providing the goods) 
to their homes or offices or other designated address, or to a depot for pick-up by the user. 
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The user's anonymity is preserved as against (i) proprietors of the Web sites that the 
user may visit, (ii) the online second party vendors from v^hom the user orders or purchases 
goods, and (iii) shippers except for the last-hop shipper that delivers a good to an address 
designated by the user. Although in the proxy embodiment the user's identity may be knovyij 
to the ISP, the browsing behavior, the items purchased, the identity of the vendor, and the 
user's financial information are secured or withheld from the ISP. The user's credit card 
issuer or company (a third or fourth party) is notified that that the user wishes to make a 
purchase for a given sum, and information necessary for authorization of the purchase is 
provided in a way which prevents fraud and protects the user's credit card information as 
well. Information about what the user has bought (or ordered if a purchase is not involved), 
and where that purchase is ultimately being shipped can be withheld from the credit card 
company as well as from other parties in the chain of commerce, ex;cept for the last-hop 
shipper who delivers to the address designated by the user. Measures discussed herein may 
also be taken to limit the information available to the last hop shipper, In cases vyliere the 
credit card company has a need for information identifying the good or service purchased, as 
for example where the credit card company provides or extends a warranty, or provides a 
promotion, etc., such information vvill be supplied to the credit card company. Special 
arrangements may also be made so that this information is routinely given to the credit card 
company. The transaction database, or a similar database may also be used to measure 
vendor performance by logging data such as returns, complaints, delivery times, damaged 
goods, etc. Thus, the invention acts as an information buffer between the user and the 
Internet and/or certain parties in the transaction. 
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In processing transactions, a proxy transaction database may be provided in 
accordance with the invention to store information generated in the transactions. In an 
embodiment having a proxy system, the proxy transaction database indexes and links the 
second party vendor supplied confirmation, order or purchase information, with a unique 
session or transaction identifier (#F) generated by the proxy system for each transaction. The 
unique session number may be used as an index to the transaction to route messages firom 
second party vendor computers to the respective first party computer involved in the 
transaction represented by the unique session number. This linkage also allows the proxy 
system to route shipped goods to the user's address if so requested by the user, and to enable 
return of the goods to the vendor. 

The proxy transaction database or another secured address mapping (SAM) database 
(which may be part of or separate fi-om the proxy transaction database) may be used to link 
user's and their addresses. Second party vendors typically include identifying information on 
shipping labels with sufficient detail to uniquely identify purchase or order information 
received fi-om customers. This information is linked with the unique session or transaction 
identifier created by the proxy computer software working in conjunction with the user proxy 
software. Optionally, the proxy computer software may transmit to second party vendors 
sufficient identity information that includes the unique session identifier #F. For example, 
the NAME field, or some other field, of the second party vendor's forai-based web page may 
be an automatically generated symbol including as a portion the unique session identifier #F 
or a number fi-om which #F may be determined. Automated readers of shipping labels would 
therefore read the unique session identifier #F to allow for automated lookup of the user's 
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actual shipping address where the good is to be delivered directly to a user designated 
address. 

The unique shopping session niMnber (#F) may be a tracking number and/or linked to 
a tracking number used to track physical delivery through a shipper's existing tracking 
system. Alternatively, a tracking nvimber may be stored in the SAM database and/or provided 
to the first party to track the delivery without disclosing the tracking number to the second 
party. 

Third and other parties may also provide transaction databases to store transaction 
information that they are provided wdth or generate. 

As pointed out above, first party private and personal information is secured at least 
with respect to second parties. While credit card companies received all of the transactional 
information when the first party customers dealt direct with second party vendors, use of the 
invention can result in the credit card companies receiving only that transactional information 
that is necessary to perform the credit function, fo accordance with an aspect of the 
invention, information in the proxy database containing private and personal information of 
first parties can selectively be made available to parties other than the second party such as 
credit card companies. As mention above, the proxy need not know the true identity of the 
first party or any private or personal information of the first party. Regardless, a proxy 
database can be provided which does not contain any private or personal information of first 
parties, and such information made available to any other party. Optionally, the proxy party 
can be compensated or otherwise rewarded for supplying such information. Stated anotiier 
way, access by banks and credit card companies to transaction information they previously 
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received can be selectively restricted by the invention. 

One way that the invention implements selective passing of transaction information is 
for the proxy party to present itself as the vendor to the credit card company in place of the 
true vendor, and pay the vendor. In order to prevent the credit card company or any other 
party from matching transactions to obtain certain transaction information, the invention 
provides for a proxy party to use the credit card of another credit card company for the 
transaction. 

In addition, rather than selectively supplying such information to credit card 
companies or other parties to the transaction (other than the second party vendors), proxy 
software can provide for passing selected information during the transaction, i.e., the 
software can be selectively configured to pass selected information depending upon the 
relationships and arrangements the proxy party has with third and fourth parties and other 
parties to the transaction. Some non-private information can also be provided to second 
party vendors so that they can maintain an historical preference database. For example, a 
consistent user name may be provided for a particular user to a particular vendor. 

The invention provides for reconfiguration of the software on a party by party basis to 
achieve the above-described selectivity. 
Internet Embodiments 

In the preferred Internet embodiment, the invention utilizes a proxy and is 
implemented by proxy software executed on user or first party computers and on one or more 
proxy computers. The software may be provided to users by way of a download or 
preferably on a tangible medium like a CD-ROM. The software on the user's computer 
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Operates in conjunction with the user computer's browser, such as Microsoft Internet 
Explorer ® or Netscape Navigator ®, either by a default or upon selection by the user. The 
proxy software on the user's computer and the proxy computer(s) cause all communications 
for second parties to be routed through a proxy computer. 

In the preferred Internet embodiment, all browsing by the user is done anonymously 
through the proxy system using a protected proxy identifier (I) or persona unique to the user 
and known only to the proxy system. A unique proxy identifier is assigned to each copy of 
user proxy software provided to a user. The relationship of the proxy identifier and the user 
is maintained secret by the proxy system. As mentioned above, the proxy system need not 
know the user's true identity. To reduce the risk of unintended disclosure of this relationship, 
the proxy identifier is withheld frprn the user so the user cannot link their true identity with 
the proxy identifier. 

The proxy system can use the proxy identifier to automatically apply preferences to a 
transaction, such as shipping mode, delivery name and address (or depot pick up), etc. The 
proxy system may store in a secure way the user's credit card information linked with the 
user's proxy identifier, and charge the user's credit card for the purchase made by the proxy 
system on behalf of the user. Alternatively, the proxy may not have the user's true name and 
account information, and the user's bank (a third or fourth party) may link the user's account 
with the user's proxy identifier and either credit the proxy system operator (proxy party) for a 
purchase made on behalf of the user or eliminate the proxy party from the financial aspects of 
the transaction, i.e., provide for payment to a second party and debit a first party directly. 
Regardless of whether the proxy party is in the payment and responsibility chain, it may be 
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paid a transaction fee for each transaction (or on some other basis). The user's bank provides 
for payment to the second party merchant of the purchase price less a service charge, and 
provides part of the service charge to the proxy party as the transaction fee. 

Typically, the proxy identifier identifies one user. However, sub-accounts may be set 
up for other users (e.g,, family or business unit members authorized by the registered user) in 
a household or business unit who use the same computer and the same copy of the user proxy 
software. The sub-account may, for example, be identified by a field or fields in the proxy 
identifier, or in any suitable way. Altematively, more than one registered copy of user proxy 
software by be stored on the same computer. 

In conjunction with the user's credit card issuing company or bank, the proxy system 
generates the unique proxy identifier I and provides it as part of the proxy software provided 
to a user, without disclosing the proxy identifier to the user. Each registered copy of user 
proxy software with its unique proxy identifier may be considered as a distinct plastic credit 
card. For security and fi-aud reduction, the proxy system can expire the user's proxy software 
and proxy identifier with the expiration of the user's credit card to which tiie user has 
authorized the proxy system to charge for purchases made on behalf of the user. Thereby, 
user proxy software and proxy identifiers will be on the same expiration cycle as the user's 
credit card. Similarly, a user's proxy software and proxy identifier can be made unauthorized 
(or expired) if a user's proxy identifier or proxy software is lost, Sitolen, cormpted, etc., or 
when the user's credit card is lost or stolen. Users can be supplied with a new copy of user 
proxy software (with a new proxy identifier) whenever the user is provided with a new credit 
card. 
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Further, users may register multiple credit cards issued by multiple banks (third or 
fourth parties), but each would require the download of a unique copy of user proxy software 
with a unique proxy identifier. Alternatively, a single copy of the user proxy software can 
store multiple proxy identifiers, selectable by the user for his, her or its purchases, or a copy 
of the user proxy software can be provided with the same proxy identifier indexed into the 
same credit card account for multiple users of the same credit card account. This is akin to 
issuing additional credit cards on the same credit card account. A user may store his, her or 
its single "proxy credit c^d" on more than one computer, e.g., a pabn top and a desktop PC. 

A user may provide the proxy system with more that one credit card number for each 
copy of the user proxy software, and designate credit card choice as part of the transaction or 
otherwise. 

The proxy system allows the user (first party) to be represented not as an individual 
transaction with a true identity, but rather as an anonymous transaction with a proxy 
identifier. For example, a user may allow someone else to make an e-commerce purchase 
with the user's proxy identifier, just like a person today may allow a spouse or child to make 
purchases on that person's credit card account. Use of the same proxy identifier by 
authorized persons is under the control of the user and tiie issuing bank (third or fourth 
party), and the tme identity of any of the users of the same proxy identifier (e.g., spouse, 
child) can be maintained by the user's bank. However, the true identity of the actual 
transactor is known only to the user when the user allows someone else to use the user's 
unique proxy identifier. The proxy system essentially provides an electronic means to 
transact exactly as it is now done with plastic credit cards, but without disclosing the true 
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name on the card. The proxy system may provide security against unauthorized use of a 
proxy identifier by requiring secret information such as a PIN or password or a biometric be 
used whenever anyone wants to transact using the proxy system. This provides a level of 
security above what is available today using credit cards. 

The proxy software alters a variety of information about the user and his, her or its 
location from the information transmitted from the user to a proxy computer, and provides 
information which enables a Web site to respond to that proxy computer, and that proxy 
computer route the information supplied by the Web server to the proper user. Although 
prior art filtering techniques may be used, the filtering described herein is preferred at least 
because it is more comprehensive. 

When a user wishes to purchase or order a good from an online second party vendor, 
the user simply follows the vendor site's usual procedures, selects the good to.be ordered, 
enters purchase order information, etc., which the proxy software analyzes and, alters where 
necessary. The user has the perception of placing the order directly with the online vendor. 
Alternatively, the proxy computer may substitute its own set of procedures for the vendor's 
procedures, and translate between the two sets of procedures while maintaining user 
anonymity. Alternatively, the xiser may supply proxy information by clicking a menu of 
choices or dragging and dropping proxy information into the field's of the vendor's 
WebPages. 

The invention provides comprehensive multi-layer privacy protection, examining 
messages of user or client computers that are to be transmitted to server computers and 
messages received from server computers. At the network protocol layer (e.g., IP and future 
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protocols), address information of the client computer is replaced with a proxy address. At 
the transport protocol layer (e.g., HTTP and future protocols), client computer information of 
a private nature is replaced with information that anonymizes the client computer. Unlike 
some approaches that only provide anonymizing of IP addresses, and other approaches, such 
as disclosed in the European patent application of Lucent referenced above (EP 0 855 651 
Al), which filter HTTP headers, the invention goes further and provides for anonymization 
at the application layer, capturing and replacing all accesses to client computer system 
information of a private nature, including cookies and other sources of information of a 
private nature, with information that anonymizes the client computer. 

The invention also provides for replacement of compromising procedures, e.g., 
procedures which collect data from a user's computer, or anonymization of the collected 
data. For example, the invention replaces compromising active code (e.g., Java applets and 
Active X) and/or XML forms . (XNIL is a new extension of HTML which allows services to 
send pages to users marked with tags that activate local information collection routines that 
can compromise user information.) 

In the proxy embodiment, a proxy computer provides the user's credit card company 
(bank) with the user's unique proxy identifier which the bank correlates with the. user's credit 
card account information, and authorizes or denies authorization for the purchase. In the 
embodiment in which a bank gives a user a transactmg identity and account, the user's true 
credit card information is not known to the proxy and is not transmitted to or by the proxy. 
Thus, the user's true credit card information is not transmitted at all on the network. 
Information other than the purchase price may or may not be transmitted to the user's bank 
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depending upon the arrangement between the proxy system operator and the bank. For 
example, information about the vendor, the good(s) being purchased or the shipper may also 
be provided to the user's bank. 

The user's bank authorizes (or declines to authorize) the purchase, and conveys such 
information back to the requesting party . Assuming the purchase has been authorized, a 
proxy computer enters the order with the online vendor using the proxy system operator's 
name and the proxy system's account number (thereby further masking the identity of the 
user). The proxy system may implement the credit function v/ith a bank or banks in different 
ways. In one embodiment, a single bank is involved in a transaction, which authorizes a 
vendor to charge the proxy system Operator's credit card account, and then nets the 
transaction by paying the vendor the price of the good less the transaction fee, charging the 
user's credit card tiie price of the good, crediting the proxy system operator's account, and 
paying the proxy system operator a percentage of the transaction fee (part of the service 
charge). Here, the bank may be provided with a description of the good, and of course has 
the identity of the vendor. Alternatively, the single bank can be provided with all details of 
the transaction and eliminate the proxy operator from the liability and netting chains, except 
for the percentage of the bank fee. 

In another proxy embodiment, two banks are involved: one as the credit card 
company of the proxy system operator and the other as the credit card coihpany of the user. 
Here, the vendor charges the purchase price to the proxy system operator's bank and the 
proxy system charges the purchase price to user's credit card, and netting provides the two 
banks and the proxy system with part of the bank fee. Depending upon the arrangement. 
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identification of the good may be withheld from both banks and the identity of the vendor 
may be withheld from the usei^s bank. 

In either embodiment, the proxy system provides shipping instructions to the second 
party vendor which do not include an address linked to the user. The proxy system may 
include one or more proxy shipping computers to perform certain shipping functions. (The 
other proxy computer(s) can be referred to as privacy protection computers to distinguish 
between them and the shipping computer(s).) 

In the embodiment that does not require a proxy, only a single bank or credit card 

entity need be involved. The first party user transmits the transacting identity and account to 

the second p^-ty vendor, who requests approval from the bank. In this embodiment, the first 

party user transmits shipping information directly to the second party vendor. The bank or a 

party acting on behalf of the bank may handle shipping (depot operation, label-switching, 

transshipping) as described for the proxy embodiment. 

As suggested above, e-commerce requires privacy-protected shipping techniques beyond 

the scope of POB-like mechanisms. The invention provides privacy-protected shipping 

techniques that offer the following features: 

1 . Two-way Privacy : The recipient of a good ordered using the invention, i.e., a user 
of the proxy system, can not only have the good delivered, but can return the good as well, 
while assuring that his, her or its identity is disclosed only to the proxy party or a party 
authorized by the proxy party and remains completely anonymous with respect to any . 
distrusted participant in the shipping chain (i.e., the second party vendor, and possibly the 
shipper, if the shipper is not authorized by the proxy party to receive private information. 
The second party cannot identify the recipient from any data available to it either for 
shipping or for returns). 
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2. Two-way verifiability: The second party vendor and shipper can verify with the 
proxy party or a party authorized by the proxy party without compromising privacy that the 
recipient received or retumed the package in a manner that can allocate responsibility for 
loss. 

3. One-time transaction privacy: * Privacy is provided for each individual shipping 
transaction independently of other shipping transactions. In particular, it does not require 
long term per-recipient allocation of space or other resovirces; furthermore, should privacy be 
compromised by one transaction, it does not enable compromising additional transactions. 

4. Coordinated comprehensive privacy^protection of e-commer ce transactions: 
Shipping can be easily coordinated with shopping and purchasing to provide fiilly 

assured comprehensive privacy protection. 

POB privacy-protection substantially fails to support any of these four features. The 
invention as it relates to the problem of privacy-protected shipping provides shipping 
techniques that accomplish these four features. 

The invention provides two techniques to accomplish privacy-protected shipping: label- 
switchmg and one-time virtual mailbox agent (OVM), e.g., depot pick-up. Label-switching 
involves switching the labels on a package. Alternatively, label switching may be provided 
by using devices that scan computer readable information or codes printed or otherwise 
placed on packages which may generate a new electronic label, e.g., by reading a remote 
database, and that display an address on a device without printing a physical paper-based 
label. The second party vendor provides the package with the ordered good for shipping 
labeled with a unique transaction identifier (e.g., #F) and the address of a label switching 
agent authorized by the proxy party to handle private information. The label-switching agent 
uses this transaction identifier to generate a label with the recipient's identity and address. A 
trans-shipper then delivers the relabeled package. In case of return, the authorized label- 
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switching agent reverses the process and relabels the package with the respective transaction 
identifier. Label-switching also applies to electronically delivered goods. Thus, for example, 
a file delivered to an electronic depot with the depot's electronic address may be 
retransmitted from the electronic depot with the user-designated electronic address. 

Label-switched shipping may include the following. A recipient concludes a transaction 
with a second party using the services of the proxy party. The proxy party generates the 
unique transaction identifier and provides it to the second party vendor and the recipient. 
The unique transaction identifier may be applied in machine readable form using any suitable 
technology, e.g., bar codes, glyphs, OCR, etc. The unique transaction identifier serves to 
hide the true identity of the recipient and indexes the transaction. The unique transaction 
identifier may therefore serve as a data key to the entire transaction and may be used to store 
and access transaction data such as recipient name, address, second party vendor, credit card 
information, good information, etc. The unique transaction identifier may be, or may be 
linked to, a tracking number. 

The proxy party provides the unique identifier and the respective recipient identity and 
shipping address to the label-switching agent authorized to handle private information. The 
package, labeled with the unique identifier is passed to the authorized label-switching agent 
where a new shipping label is generated with the unique transaction identifier and address of 
the recipient. The package is delivered via a shipper to the recipient. To handle a return, the 
I authorized label-switching agent reverses the process, replacing the label with a unique 
transaction identifier and notifying the proxy party of the relabeled shipment. Multiple 
different media for communications and/or label switching may be used. 
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OVM operates as follows. The second party vendor labels the package containing the 
good with the unique transaction identifier as described above, and the address of an OVM 
depot, for example, OVM77432572980975, 10 Main Street, Any Town, USA 12345. The 
shipper delivers the package to the OVM depot at the address. The recipient claims the 
package by providing at least the unique transaction identifier (or some number or code from 
which the transaction identifier (#F) may be determined) on the package to the OVM depot. 
However, it is preferred that the recipient provide two pieces of identifying data. Other 
identifying data may be secret information such as a confidential code or a pass word or 
biometric known to the recipient and the OVM agent. 

The shipping instructions include the unique transaction identifier which is associated 
with the shipment so that the shipment can be identified for later trans-shipment to the user or 
for later depot pick-up by the user. The unique transaction identifier is such that the user's 
identity and address are not revealed to the second party vendor. In the case of depot pick- 
up, the OVM agent releases the shipment based on a presentation of the unique transaction 
identifier, and perhaps some other information which does not reveal the identity and address 
of the user to the shipper or depot. In the case of trans-shipment, the users name and address 
are associated with the package after delivery to a trans-shipment point (authorized label- 
switching agent) on the basis of the unique transaction identifier, and the good is delivered 
from there directly to the user's address. While the trans-shipper may know the identity and 
address of the user, the trans-shipper does not know the contents of the package or the price 
of the good. However, the identity of the second party vendor and the good may be printed 
upon or otherwise evident from the package. In such cases, the package delivered to the 
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authorized label-switching agent may be repackaged, i.e,, placed into another package or 
wrapped in some way. An OVM agent may also be required to repackage or wrap a package 
so that the clerk who hands the package over to the recipient can not associate the good with 
the appearance of the recipient. 

Thus, at each step of the transaction, the identity and other sensitive information about 
the user remain anonymous to the second party vendor, and no third party has all information 
identifying the user, the product, the second party vendor and the user's financial 
information. 

In the embodiment that does not require a proxy, the functions of the proxy relating to 
shipping, labeling, depot operation and trans-shipping may be handled by the bank or a party 
or parties authorized by the bank. 

In a preferred Internet embodiment, the proxy system includes or uses the following. 

1 . User proxy software : The user proxy software is stored on a user's PC or other 
device capable of accessing a network-based information systems or conmiunications 
networks such as the Internet/World Wide Web. Each copy of the user proxy software is 
registered and is assigned a unique and secured proxy identifier (I). Tne proxy identifier is 
preferably withheld from the user to enhance security as indicated above. For example, the 
proxy identifier is embedded in the user proxy software so that a typical user can not access 
it. The user proxy software is "registered" with the proxy system operator which serves as a 
privacy protection agent. As described above, multiple related users of the same registered 
copy of user proxy software can be accommodated in one or more fields of the proxy 
identifier, or otherwise. Also, multiple copies for multiple users may reside on the same 
computer. The user proxy software can be distributed by the proxy system operator or a 
bank or credit card company affiliated with the proxy sj^tem operator, or the proxy system 
operator may be a bank or credit card company. 

2. Proxy computer software : Proxy computer software is stored on one or more 
proxy computers and identifies registered user proxy software, indexes or links to a user's 
bank account (or debit account, or electronic check account, or credit card account) or some 
other account used for transacting business or purchasing items. (This user financial 
information is not made available to the proxy system operator, who only has information to 
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index to the user financial information.) Proxy computer software also performs shipping, 
label generating and switching functions, and tracking status (during shipping and return) and 
shipping status. 

The proxy software (user prosy software and/or proxy computer software) includes 
filtering software, preferably the filtering software described herein 

3. Proxy computerfs): One or more proxy computers are owned and/or operated 
by the proxy system operator, and operate in conjunction with the proxy computer software 
to control transactions, including a secured address mapping (SAM) database that Imks 
purchase information with user's shipping address, and a transaction database for purchase, 
shipping and transaction information. Different proxy computers or software modules may 
perform different fimctions. For example, separate computers or modules may be used to 
perform privacy fiinctions (e.g., handling communications between an on-line second party 
vendor and a first party user while maintaining user anonymity), transaction logging, 
shipping, label-switching, transaction inquiry handling and confirmation (e.g., linking the 
proxy system database and a shippers tracking database), etc. 

4. A browser program: Software or some other means of accessing the 
communications network stored on a user's PC or other appliance. 

5. Bank authorization software: Software stored on the proxy computer(s) 
and/or on one or more computers of one or more banks for submitting transaction 
information to the bank and receiving in return authorization or denial information. 

6. Proxy party credit system: In some embodiments, a credit card account or 
other credit arrangement by which credit of the proxy system operator is involved in the 
purchase of the goods from retailers. 

I In addition, a user must have a credit card account, or other account information 

(debit, electronic check, etc.), which is authorized to be charged for goods ordered by a user. 

In the context of the IntemetAVorld Wide Web, the proxy system may operate as 
follows. 

I. Registration procedure: A prospective user applies to the proxy system 
5 operator or to his, her or its credit card company to become a proxy system user. Upon 
approval by the proxy system operator and/or the credit card company (or as part of the 
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initial application), the user must provide information such as his, her or its credit card 
number(s) and expiration date(s), shipping preferences, and services depot and user 
address(es). A copy of the user proxy software is given, mailed or shipped to the user, who 
loads it on his, her or its PC, e.g., as a plug-in to the browser on the PC. The user proxy 
software, in cooperation with the browser on the user's computer, can automatically go online 
to a proxy system computer or prompt the user to access the proxy system, and can complete 
the registration process automatically or in response to prompts, or a combination thereof. 
The registration process may require input by a user of secret information such as a PIN or 
pass word or biometric or other secret information that the user downloads or selects. 
Loading and downloading menus and procedures are providing to facilitate loading of the 
user proxy software on the user's PC. 

II. User accesses the proxv svstem: The user elects to shop privately by 
actively clicking an icon, button, book mark or "favorites" or by some other typical means 
provided on the browser of the computer being used by the now loaded user proxy software. 
Altematively, the user proxy software may set private shopping as a default, whenever the 
browser is active so that a user must click an icon, etc. to browse conventionally. 

The user proxy software may first issue a request to the user to enter secret 
information such as a PIN, password, biometric, key or some other identifying information to 
determine that the user is authorized to transact with the user proxy software. (Since, the 
active participation of the user in initiating the privacy feature provides direct evidence of the 
user's wish to remain anonymous to second party vendors, users directly control their own 
personal information.) 
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ni. Proxy system creates a session: The proxy computer software creates a 
unique session for each transaction, (or browsing session with a yendor) to identify 
transactions initiated by users in cooperation with the user proxy software. The unique 
session is assigned a unique identifier (e.g., #F) for identification and control purposes. 

The user proxy software transmits to the proxy computer software unique and 
encrypted or secured numbers that are used by the proxy computer software to uniquely 
identify and index the user's vinique proxy identifier (I) for the registered client software, 
current shopping activity, ciirrent order, if any, and user shipping address. 

With the proxy system active, the second party vendor's WebPage provided tiirough 
the proxy system may appear "wrapped" or "firamed" vvithin a window, frame or panel 
provided by the proxy system, or as largely provided by the second party vendor but with a 
banner, unique cvirsor icon, or other indication that the proxy system is active but not 
appearing in full view. When a user browses through the proxy system, the proxy system 
acts as a portal to Web sites. Altematively, if the user is currently visiting the second party 
vendof s WebPage independently of the proxy system and the user wants to now shop 
privately, the user accesses the proxy system, and the second party vendor's WebPage cached 
on the user's PC then appears in the proxy system's window, etc. 

The proxy system may provide banner messages, or scrolling or pop up messages 
within its WebPage to remind and direct the user of certain actions the user must or may take 
to hide their identity and personal information from the second party vendor, and may 
provide a final message asking whether all information on the screen is correct. 
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The second party vendor's WebPage, now embedded within the proxy system's 
"wrapping" WebPage or "bannered" by the proxy system, includes form-based fields 
requesting the name, address, salutation, shipping address and credit card information jQrom 
the user, as well as perhaps other identifying, private or personal information. 

IV. The proxy system communicates with the second party vendor: The user 
proxy software on the user's PC provides menus called, for example, by right mouse button 
clicking on the user's mouse. (Alternatively, icons, buttons, or other easily accessible means 
that may be clicked or invoked can be provided, e.g., dragging and dropping information into 
fields of the WebPage. When the user first clicks in the NAME field of the second party 
vendor's WebPage form, the user may then right click the mouse to reveal a pop-up menu of 
choices, one of which may be NAME, for example. When the user chooses the NAME item 
from the right mouse button menu, the user proxy software provides the proxy system's 
identity. Alternatively, the proxy computer software, alone or in conjunction with the user . , 
proxy software, provides the proxy system's identity. The proxy system's identity.may be 
transmitted immediately or when a final submit action is made by the user. The user's true 
identity is therefore not transmitted to the second party vendor. 

For each field of the second party vendor's WebPage form that requests identifying 
information, right mouse button menus and clicks on the menu choices are provided by the 
proxy system to fill out the form entirely with the proxy system's own identity information. 
The clicking actions by the user essentially directs the proxy computer software to transmit 
tiie appropriate identity information of the proxy system. One such piece of information is 
credit card accoimt information that is used by the second party vendor to charge and receive 
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payment. The proxy computer software does not have and does not transmit the user's credit 
card information, but rather the proxy's system's credit card information, which need not and 
preferably is not disclosed to the user. Other account information used by the proxy system 
in the transaction may be transmitted instead, e.g., debit account information, electronic 
check account information, or some other information that provides for a billing, or charge 
and payment transaction between the second party vendor and the proxy system. 

The proxy computer software also transmits as part of the identifying information the 
proxy system's shipping (e.g., depot) address. The user's real shipping address has either been 
previously stored or on file with the proxy system when the user registered, or the user may 
be asked to select shipping information from the proxy computer software while shopping 
and filling out the second party vendor's web form. In the latter case, the selected shipping 
address is transmitted to the proxy computer software for fiirther processing. The proxy 
system does not forward the user's shipping address to the second party vendor. Hence, tlie 
information provided to the second party vendor indicates that the second party vendor 
transacted vwtii the proxy system, and the xiser's identity, account information and address is 
entirely imknown to the second party vendor in the transaction. 

The proxy system additionally removes and replaces any identifying, private and 
personal information from all data transmitted to the retailer as discussed herein. 

The proxy temporarily stores transaction information until a transaction is completed. 
V. The proxv svstem completes the transaction with the second partv vendor: 
When the user initiates completion of the order by clicking the appropriate button or 
icon in the second party vendor's WebPage (e.g., using the rigiht mouse button menus 
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provided by the user proxy software) the proxy computer software also completes the 
transaction by submitting the now completed form but with the proxy system's identifying 
information which has been inserted by the proxy software. 

The second party vendor obtains authorization from the proxy system operator's, bank 
(which may be the same as the first party user's bank) to charge the transaction to a credit 
card. The proxy computer software waits for and receives from the second party vendor 
confirmation information (e.g., a confirmation page) that the proxy computer software stores 
for future reference. This archived confirmation information includes all identifying 
information transmitted to the second party vendor as well as typically a complete list of 
items ordered from the second party vendor and credit card information. This transaction 
information may be stored on the proxy computer (in a transaction database) for later 
retrieval by the first party. The shipping information may be stored in a secured address 
mapping (SAM) database. 

The second party vendor also supplies a confirmation or order number or symbol 
(e.g., H) used to identify the purchase information displayed in the confirmation page. The 
imique session number (#F) is indexed to this confirmation or order information for future 
processing and completion of shipping instructions to direct goods to their final destination 
(the user's shipping address or the proxy system's depot). This information (unique session 
number #F, any confirmation numbers or symbols H returned by the second party vendor, 
► and other possible itiformation produced by the proxy computer software working in 
conjunction with the user proxy software) is stored in frie transaction database and may 
optionally be transmitted to the user's PC for local storage and future reference. Information 
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loaded to a usei^s PC to enable the user to contact ttie second party vendor anonymously to 
check on order status, or to arrange for return, or to report damage, etc. The down-loaded 
information must be sufficient to enable a user to contact a second party vendor and identify, 
the concerned transaction while maintaining user anonymity. 

VI. The proxy system submits a transaction to the bank: The proxy system's 
server software now transmits purchasing information to a bank as if a customer (the user) 
were purchasing from the proxy system. The proxy system passes to the bank the user's 
proxy identifier that allows the bank to identify the user as a bank customer and access the 
customer's account. In an alternative embodiment, the pro3ty system database may store user 
bank account information linked to the proxy identifier, and the proxy system may transmit 
this account information (encrypted or secured) to the bank. 

The interactions between the proxy system and the bank are protected by 
authentication and encryption of all information communicated. The proxy system enables 
the bank to configure these protection mechanisms in a way that enables only the bank to 
validate the identity of the user and to decode the information transmitted. 

The proxy system notes transaction, as well as the transaction amount that includes at 
least the transaction amount charged by second party vendor for the selected goods plus, 
optionally, additional fees that the proxy system may charge for use of its service. The proxy 
system may thus charge the user an amount that is displayed to the user with confirmation 
information that the user's order and credit card transaction have been completed and 
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authorized. This information may be directly displayed to the user who may still be 
browsing, or it may be transmitted by some other means at a later time, for example email. 

The bank returns or communicates to the proxy system sufficient authorization 
information to allow the transaction to complete. The bank-supplied authorization 
information may optionally be linked with the previously stored confirmation information 
received from the second party vendor. In the normal course of business functions, the 
second party vendor charges the correspondent bank or credit card company of the proxy 
system for the proxy system's apparent purchase of goods. The second party vendor is 
charged a fee by the correspondent bank for the transaction, just as in non-anonymous 
transactions. 

However, hidden from the second party vendor, the credit card company or bank of 
the user credits the proxy system for the purchase of goods and pays the proxy system part of 
the fee charged to the second party vendor by correspondent bank as the proxy system fee. 
The correspondent bank matches the transaction with the user's credit card bank, nets the 
transaction and pays the proxy system its fee. As discussed herein, a different fee 
arrangement may be provided to compensate the proxy system operator. 

As also discussed herein, the user's bank and the proxy system operator's bank may be 
different or the same. 

The authorization and other transaction information with the bank is also stored in the 
transaction database. 

. V. and VI. Reversed: Alternatively, the proxy system may first submit 
transaction information to the user's bank, wait for authorization and then complete the order 
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with the second party vendor and complete its communication with the user. If the bank 



denies the transaction, then the proxy system would not send confirmation or completion 
orders to the second party vendor and the user would be informed that their purchase is 
denied. Alternatively, the user's bank may have pre-authorized the user's transactions by 
providing certificates, or certified electronic cash and thus the user's bank need not be 
contacted during the transaction process. 

Vn. Shipping: The second party vendor ships to the address provided by the 
proxy system (e.g., by a proxy shipping computer from the secured address mapping (SAM) 
database), which can not be linked to the xiser by the second party vendor. The proxy system 
previously indexed the user's shipping information with the previously stored confirmation 
inforaiation and unique shopping session or transaction identifier in the secured address 
mapping (SAM) database. This shipping information will include either the user's shipping 
address or information designating user pick-up and/or tracking numbers. Where the user 
designated delivery to a shipping address, that address, indexed to the confirmation 
information, is used to generate a new shipping label. The packaged goods are then relabeled 
(or repackaged or wrapped if the identity of the good or the second party vendor is to be 
shielded) with the user-designated shipping address and shipped to the user. 

Where the user designated depot pick-up, the packaged goods can simply be stored 
for pick-up indexed by the shopping session or transaction identifier, or with some other 
information. Alternatively, the packaged goods can be relabeled with otiier information 
useful in facilitating pick-up by the user. (As discussed above, the packaged goods may also 
be repackaged or wrapped to hide the identity of the good and the identity of the second party 
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vendor.) The proxy system notifies the user of shipment by the second party vendor, receipt 
at the depot, or both. The proxy system may provide the user and the depot with information 
other than the session identifier (#F) by which the user's package is identified and indexed at 
the depot. 

The procedure described above provides for communication over the Internet using 
the TC/IP protocol. However, certain communications between the first party users and the 
proxy computer(s) can be by e-mail, as can certain communications between the proxy 
computer(s) and third party computer. For example, after successful installation of the user 
proxy software, the user may register by e-mail (encrypted). The proxy may capture the 
registration data and forward it by e-mail to a database (e.g., the transaction database). 
Similarly, after an order has been successftiUy entered and stored, for example, in a 
temporary file, the proxy may capture the information and e-mail it to the database (e.g., tiie 
transaction database). Appropriate information may also be captured and e-mailed to the 
bank(s). In addition, confirmations, order mformation, tracking information and good receipt 
information may also be sent by e-mail as well as in response to requests transmitted by the 
browser. Thus, a user may access the order information and track order processing and 
shipping. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The invention is illustrated in the figures of the accompanying drawings which are 
meant to be exemplary and not limiting. The description herein, including the appended 
claims, identifies various elements by specific names for convenience. These names are 
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intended to be generic in their application unless otherwise indicated. In the accompanying 
drawings: 

Fig. 1 is a block and flow diagram representing a conventional multi-party e- 
commerce transaction involving a first party consumer, a second party merchant, a shipper 
and a credit card clearing entity; 

Fig. 2 is a block and flow diagram of a conventional shipping transaction involving a 
sender, a recipient and a shipper; 

Fig. 3 is a block diagram of an embodiment of a system incorporating the invention 
for the purchase of goods over the Internet and payment for the goods; 

Fig- 3 A is a block diagram of an alternate embodiment of system depicted in Fig. 3 
showing a delivery facility as part of the system; 

Fig. 3B is a block diagram of an embodiment of a system which provides for purchase 
and payment and delivery of goods over the Internet; 

Fig. 3C is a block diagram of a portion of system depicted in Fig. 3 showing an 
additional party (fourth party) as part of the system depicted in Fig. 3B; 

Figs. 3D is a block diagram of alternate on embodiment of a system incorporating the 
invention for the purchase of goods over the Internet without a proxy; 

Figs. 3E-3H are flow diagrams showing credit approval and crediting/debiting of the 
parties involved in a transaction for various embodiments; 

Fig. 4 is a block and flow diagram illustrating an electronic purchase made using the 
system depicted in Fig. 3B; 
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Figs. 4A-4Q illustrate specific steps and data flows carried out using the system 
depicted in Fig. 3B; 

Fig. 5 is a diagram illustrating transaction authorization and netting procedures carried 
out by the system depicted in Fig. 3B; 

Fig. 6 is data diagram representing data generated in a transaction using the system 
depicted in Fig. 3B stored by the third party bank; 

Fig. 7 is a data diagram representing data generated in a transaction using the system 
depicted in Fig, 3B stored by the proxy; 

Fig. 8 is a table showing data generated during a transaction and the parties who have 
access to the data; 

Fig. 9 is a diagram showing IP protocol layers of IP packets processed by first party 
(user) computers, proxy party computers and second party computers in the system depicted 
inFig. 3C; 

Fig. 10 is a flow chart illustrating an algorithm for filtering outgoing infonnation fi-om 
first party computers to the WWW in the system depicted in Fig. 3B; 

Fig. 1 1 is a flow chart illustratmg an algorithm for filtering incoming infonnation 
fi-om the WWW to first party computers in the system depicted in Fig. 3B; 

Fig. 12 is a flow chart illustrating authorization of a piirchase fi-om a first party 
computer in the system depicted in Fig. 3B; 

Fig. 13 is a block and flow chart illustrating shipping, relabeling and delivery of a 
good purchased, for example, using the system depicted in Fig. 3B; and 
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Fig. 14 is a block and flow chart illustrating operation of depot pick-up of a good 
purchased, for example, using the system depicted in Fig. 3B. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
As mentioned above, the invention provides methods and systems which enable users 
of a conmiunications network such as the Internet to communicate, and/or order, and/or 
obtain or receive, and/or charge or electronically pay for deliverables over the network, while 
securing private and personal information of the users vsdth respect to unauthorized parties 
and providing improved protection against fraud. Embodiments of the invention may or may 
not include a proxy, as discussed above. 

In the presently preferred embodiment, the methods and systems include a central 
proxy, and a system including a proxy is described belov^. 

The overall architecture of systems with a central proxy incorporating the invention 
can be implemented in different ways, some of which are illustrated in Figs. 3, 3 A, 3B and 
3C which depict a system 100, 100a, 100b, 100c linked by the hitemet 102 and optionally by 
one or more secure transmission links 104 for conducting e-commerce over the Internet and 
- World Wide Web between first party customers, represented by first party computers 106, 
and second party merchants, represented by second paity computers 110 through a proxy 
system 1 12, 1 12a which includes proxy computer(s) 108 and proxy software 1 14. The proxy 
computer(s) 108 represent a proxy party or projcy system operator* A third party, represented 
by third party computer(s) 116, pays (credits) second party merchants for respective goods 
purchased by first party customers and debits tiie accounts of respective first party customers. 
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Referring to Fig. 3, the proxy system 1 12 may include one or more databases for 
storing transaction data. For example, a transaction database 1 15 that stores transaction data 
(e.g., as shown in Fig. 7) may be provided that links transaction data, as described below. 
Other parties such as the third party bank 1 16 may also have a database such as a transaction 
database 117 that stores transaction data (e.g., as shown in Fig. 6). As pointed out above, by 
logging data such as returns, complaints, dehvery times, damaged goods, etc. in the proxy 
transaction data base, or in another database maintained by the proxy, vendor performance 
can be measured. 

The first party can elect to communicate and transact directly with the second party 
conventionally, as in Fig. 1 , or through the proxy system 1 12 represented in Fig. 3 , If 
privacy is wanted, commimicating or transacting with a second party is handled throu^ the 
proxy system 1 12. The proxy software 1 14 secures the first patty's private and personal . 
information with respect to unauthorized parties and provides information necessary for an e- 
commerce transaction which routes the transaction through the proxy system 112 and 
identifies the proxy party (i.e., the proxy system operator) as the transactor. 

The proxy softw:are 1 14 may be executed by the proxy computer<s) 108, or distributed 
and executed by both first party computers 106 and proxy computer(s) 108. Fig. 3 depicts an 
embodiment in which the proxy software 1 14 is distoibuted, part 1 14a bemg executed by user 
computers 106 and part 1 14b being executed by proxy computer(s) 1 08. The first party 
computers 106 may function as client computers, and the proxy party computer(s) 108 arid 
the third party computers 106 may function as server computers. For convenience, and to 
more easily differentiate the proxy software parts, proxy software 1 14a executed by first 
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party computers 106 is referred to as user proxy software 1 14a, and proxy software 1 14b 
executed by a proxy computer 108 is referred to proxy computer software 1 14b. 

A system 1 12a which may provide for delivery of physical goods, and as illustrated in 
Fig. 3 A, includes a physical or virtual delivery facility 1 1 8 to which a good ordered by a first 
party customer is delivered while securing the identity of the first party- The delivery facility 

118 may be linked to a proxy computer 108 through the Internet or a secure link 120, and 
may include one or more proxy computers 108. A secured address mapping (SAM) database 

119 may be provided to link users with their physical or electronic shipping addresses. The 
SAM 119 database may be located within a proxy computer 108 that communicates with first 
party computers or at a delivery facility 1 18, or at another location accessible over the 
Internet (preferably over a secured channel). 

Thus, Figs. 3 and 3 A respectively represent embodiments in which payment for 
purchase of a good is achieved over the Internet while securing the private and personal 
information of the purchaser with respect to unauthorized parties, and in which physical 
delivery of a good ordered over the Internet is achieved while securing the private and 
personal information of the purchaser with respect to unauthorized parties. In the preferred 
embodiment, the system 100b show in Fig. 3B provides for both payment and delivery and is 
represented by combining Figs. 3 and 3 A, i.e.. Fig. 3B includes the delivery facility 118 and 
the SAM database 1 19 at the delivery facility and/or the proxy computer(s) and/or at another 
location. 

In the systems 100, 100b depicted in Figs. 3 and 3B, both first parties and the proxy 
party have accounts with the third party 116 (bank or credit card company, etc.), and third 
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party 1 16 performs credit clearing and provides for payment (credit) to a second party and 
debiting of a first party involved in a particular transaction, and also crediting the proxy party 
with a part of the service charge, as described in more detail below. Fig. 3C illustrates a 
system 100c which includes two parties, third party l l Sa and fourth party 124, involved in 
credit clearing and payment for a purchase, and represents an alternate embodiment of the 
system 1 OOb depicted in Fig. 3B. The third party 1 1 6a may be a bank or credit card 
company, etc., as in Fig. 3B, with which a first party has an account, and the fourth party 124 
may be another bank or credit card company with which the proxy party has an account. 
Third party 1 16a clears credit card transactions with respect to the first party and fourth party 
1 24 clears credit card transactions with respect to the proxy party. The third and fourth 
parties settle, where, generally, the fourth party pays the second party, and debits the proxy 
party's account with the fourth party, and the tiiird party pays the proxy party by crediting the 
proxy party's account with the fourth party and debits the first party's account with the third 
party, as described in more detail below. 

Fig. 3D shows the embodiment that does not require a proxy. System 1 OOd includes 
first party computers 106 which include a browser 122 and altering software 1 14c which 
performs the filtermg described in connection with the proxy software. System lOOd also 
includes a delivery facility similar to delivery facility 1 18 but operated by the third party 1 16. 
Second party computers 1 10 and a third party computer 1 16b are similar to those in system 
lOOb shown in Fig. 3B. System lOOd may also include a central transaction or proxy 
database 1 15a which stores transaction data for safe keeping and later retrieval by the parties 
in the event of a return, or a dispute, etc. 
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Referring to Fig. 3B, each first party computer 106 accesses the Internet and navigates 
the World Wide Web with browser software 122 (e.g., Internet Explorer® and Netscape 
Navigator®). A first party computer 106 may access the Internet and navigate directly 
without using the proxy system 112, or through proxy computer(s) 108 using the proxy 
system 1 12, as described below. 

Operation of the system 100b is described with reference to Fig. 3B and Fig. 4. In the 
flow diagram of Fig. 4, the first party is referred to as "Customer C", or simply "the 
customer", the second party as "Retailer R", or simply "the retailer", the proxy party as 
"iPrivacy", the third party as "Bank B", or simply "the bank", and the delivery facility 1 18 as 
"A: Shipping Depot/Transship", or simply as "the depot". In Fig. 4, the customer block is 
referenced by 106 consistent with the first party cc)mputer(s) 106 in Fig. 3, the iPrivacy block 
by 108 consistent with the proxy computer(s) 108 in Fig. 3, the retailer block by 1 10 
consistent with the second party computer(s) 110 in Fig. 3, the bank block 1 16 consistent 
with the third party computer(s) 1 16 in Fig. 3, and the depot block by 1 18 consistent with the 
delivery facility 1 18 in Fig. 3 A. 

Referring to Figs. 3B and 4, the proxy software 114 extends an API (the WWW 
browser 122) with software to monitor, filter and reroute interactions between the browser 
122 and second party computers 110 (e.g., WWW servers). The proxy software 1 14 provides 
anonymizing transformations of these interactions to assure the customer's privacy, and 
eliminates from the transaction all explicit and implicit information identifying the customer 
and issues transaction information to the retailer with the proxy system's own identifying 
information, including financial charging information and a "first hop" shipping address from 
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which the ordered good may be trans-shipped or held for customer pick up. The proxy 
software 1 14 monitors and filters all data exchanged between the customer computer 106 and 
the merchant computer 110 and removes any data that may compromise customer privacy. 
For example, cookies and agents dispatched by merchant computers 110 to customer 
computers 106 are eliminated. 

Referring to Fig. 4, the customer computer 1 06 has a physical address G and an IP 
address G', and user proxy software 1 14a by which the computer 106 accesses the Internet 
through a proxy computer 108 for anonymous WWW browsing and e-commerce. The user 
proxy software 1 14a is registered to Customer C under proxy identifier I, and can be invoked 
with PINs, passwords, biometrics, etc. The proxy identifier may have one or more fields or 
other means to identify such users, and the proxy computer software may store data relating 
to such users. Also, more than one copy of user proxy software 1 14a may be loaded on the 
same PC and registered to different users, or loaded on different computers and registered to 
the isame user. 

Assume that the browser and the user proxy software are active on the customer 
computer 106 at Time T. Referring to Figs. 4 and 4A, in step 1, the Customer C provides or 
clicks a URL R of a WebPage that he or she wants to visit, which is transmitted (step 2, Fig. 
4B) to a proxy computer 108 having a physical shipping address (Depot) A and an IP address 
A', a public proxy system identifier P, and a credit card account D with the bank B. As 
discussed herein, the user proxy software 1 14a strips at least the Customer C's IP address G' 
firom the message and substitutes the proxy computer's IP address A*. However, further 
filtering may be carried out by the user proxy software 1 14a and/or the proxy computer 
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software 1 14b, as described below. 

- Referring to Figs. 4 and 4C, in step 3, the proxy computer 108 transmits the altered 
message from the customer computer 106 to the retailer R, providing the retailer with the 
proxy system identifier P- The retailer responds in step 4 (Fig. 4D) with a return message to 
the proxy computer 108. The proxy computer 108 analyzes the message, and may filter or 
alter the message depending upon content before forwarding it to the customer computer 106 
in step 5 (Fig. 4D). Assume that the message forwarded in step 5 includes a form portion, 
i.e., a portion which requests that the customer supply information such as order information, 
name, address, credit card information, etc. In one embodiment, the proxy computer 
software 1 14b on the proxy computer 108 may filter out form portions requesting private 
information and forward only the order portions of the form, which the user fills in (step 6, 
Fig. 4E). In another embodiment, the proxy computer 108 may forward the entire message - 
and rely on user proxy software 1 14a on the user computer 106 or software transmitted with 
the message to warn or prevent a user from entering private information. In either case, a 
filled out form is returned (step 7, Fig. 4E) to the proxy computer 108, which generates a 
xinique session number #F and provides it to the user computer 106 in step 7.5 (Fig. 4E). 

A final shipping address designated by the first party and the shopping session 
number is stored in the secured address mapping (SAM) database 1 19 (Fig, 3B) along with 
tracking numbers and used later by the trans-shipper and depot to route the physical delivery 
correctly. 

The total purchase price is determined from the good(s) ordered on the form (Fig. 4F), 
and the proxy computer 108 generates the ordered item(s) X and the price amount $Y. The 
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proxy system has now generated "Item X, "Amount $Y", "Proxy I" and "Session #F". At this 
point, the proxy system operator obtains authorization to charge the user's credit card prior to 
forwarding order inf o miation to the retai ler. In step 8 (Fig. 4G), the proxy computer 108 
forwards to the bank B a secured message including the customer's proxy identifier I, the 
proxy's identity P, the amount of the requested transaction $ Y, and the session (transaction) 
identifier #F, and requests credit authorization for the transaction. Depending upon business 
relationships, the retailer's identity R may have to be supplied (e.g., as a fraud prevention 
measure). The bank B already has the customer's account information which is accessed 
from the customer's proxy identifier 1. (The customer's^ not transmi tted 

over the Internet, and is not subject to theft or misuse, thereby reducing fraud.) If 
authorization is denied (Fig. 4H), the session is ended, preferably by requesting the user to 
contact his, her or its bank. 

In another embodiment (Figs. 4G and 4K), the proxy identifier I and the customer's 
credit card number Z are held by the proxy system, and are sent to the bank B for credit 
authorization. The proxy system transacts with the retailer using the proxy system's credit 
card D. If the proxy system sends customer transaction information to the customer's bank 
B, and the proxy system sends transaction information to the proxy system's bank B', then the 
proxy system will need a credit line with B' (fourth party 124 in Fig. 3C) in advance of 
transacting. 

If authorization is provided, the bank B in step 9 (Fig. 41) authorizes credit for the 
concerned transaction and forwards authorization information W to tiie proxy computer 108, 
adds the following (Fig. 4J) to the previously generated order information (item identification 
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X and amount $Y): the proxy system operator's proxy identifier P, the session identifier #F, 
the proxy system operator's credit card number D, the proxy system operator's depot shipping 
address for delivery A. The user's identity transmitted to the retailer R is P#F, a unique 
proxy identity preventing the retailer from linking this transaction with any other 
transactions. In step 10 (Fig. 4 J), the proxy computer 108 forwards this information to the 
retailer R. The proxy (depot) delivery address A is linked to the user's delivery address G in 
the secured address mapping (SAM) database 119 (Fig. 3B). 

In step 1 1 (Fig. 4K), the retailer R requests authorization to charge the proxy system 
operator's credit card D. This request is made after the bank B approved the customer's credit 
ui step 9 (Fig. 41), which is represented m Fig. 4K by the request taking place at Time T + |a. 
If the proxy party and the first party have accounts with the same bank B, this request is 
made to bank B, as shown in Fig. 4. If not, the request is made to anoflier bank B' (Fig, 4K) 
with which the proxy party has an account. If the proxy party's credit is approved, in step 12 
(Fig. 4L) the bank B (or B') provides the authorization Q to the retailer. 

At this point (Fig. 4M), all authorizations have been provided, and the retailer in step 
13 provides the proxy computer 108 with shipper tracking number J for the shipment from 
tiie retailer to the shipping depot (the first hop), and/or flie order number O, which the proxy 
computer 108 forwards to the user computer 106 in step 13.5. The tracking number J is also 
stored in the SAM 119 and linked to the user*s address G and shopping session number #F. 
The retailer then ships the good in step 14 to the proxy system operator's shipping depot 
address A with labeling containing the proxy system operator's proxy identifier P and the 
session identifier #F. In step 15 (Fig. 4N), the shipping depot A acknowledges receipt of the 
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shipment and forwards to the proxy computer 108 acknowledgement of receipt of the 
shipped good identified by the session number #F, and a second hop tracking number or 
pick-up number J', also stored in the SAM database 119, and the proxy computer 108 
forwards this information to the user computer 106 in step 15.5. Depending upon 
arrangements with shippers and the proxy shipping depot A, the same tracking number J may 
be used for both the first hop shipment to the proxy shipping depot A and the second hop 
shipment to the customer. 

The proxy computer 108 in step 16 (Fig, 4 O) directs the depot A (a) to ship the good 
to customer address G designated by the first user to the proxy system if the good is to be 
trans-shipped or (b) to hold it for pick-up ("C Picks Up"). The information needed for trans- 
shipping is contained in the SAM database 1 19 (Fig. 3B), which may be located at the 
delivery facility 1 18 or elsewhere. If the good is not to be trans-shipped, it is held at the 
depot A for pick-up, otherwise it is transshipped to the customer address G in step 17 (Fig. 4 
O). If the good is held for pick-up, the proxy computer is informed when the good is picked 
up. If it is transshipped, in step 18 (Fig. 4P) confutation of receipt (H) by the customer is 
provided to the shipping depot A , which informs (provides H plus #F to) the proxy computer 
108 in step 19. 

The proxy computer 108 confirms to the bank B in step 20 (Fig. 4Q) that the good 
was shipped by providing the session identifier #F and the confirmation H. In step 2 1 , the 
bank B nets fee transactions as illustrated in Fig. 5, including payment of a fee to the proxy 
party, as follows: the Customer C is charged $Y; and settles with the bank B; the retailer R is 
paid $Y less the customary transaction fee by the bank B; and the proxy party (iPrivacy) is 
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paid a percentage of the transaction fee by the bank B. The bank B*s transaction data, stored 
in a transaction database 117 (Fig. 3B), is shown in Fig. 7, where time T indicates 
transactions relating to the Customer C, and time "T + ja" indicates transactions relating to 
the proxy party (iPrivacy). Fig. 7 shows the data generated by the transaction which the 
proxy party can store in the transaction database 115 (Fig. 3B), and where appropriate, make 
available to others. 

The proxy tracking numbers J and J* are provided via the SAM database 119 (Fig. 3B) 
and to the user through the proxy system or via email to the user for the user to track the 
delivery. The retailer R does not receive the second hop tracking number J'. . 

In the embodiment described above, the session identifier #F is the data key to the 
data record for the transaction. 

. Variations of the transaction represented in Fig. 4 are possible and contemplated. As 
discussed above, in another embodiment represented in Fig. 3C, two banks are involved: one 
as the credit card company of the user (third party) and the other as the credit card company 
of the proxy (fourth party). 

Fig. 3B shows the authorization, crediting and debiting steps where one bank in 
involved, and Fig. 3C where two banks are involved. Fig. 3F shows authorization, crediting 
and debiting where two banks are involved and the proxy party is eliminated from the 
authorization, crediting, debiting and liability chains. Fig. 3G shows authorization, crediting 
and debiting where no proxy is involved. 

Referring to Fig. 4, the authorization steps 11,12 are between the second party vendor 
and the proxy system operator's bank, and the authorization steps 8 and 9 are between the 
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proxy system and the user's bank. The order of the authorizations 8, 9 and 1 1, 12 may be 
reversed if desired. The vendor charges the purchase price to the proxy system operator's 
bank and the proxy system charges the purchase price to user's bank, and netting provides the 
two banks and the proxy system with part of tiie bank fee. Depending upon the 
anrangement, identification of the good may be withheld from both banks and the identity of 
the vendor may be withheld from the user's bank. 

The table in Fig. 8 summarizes the transaction data available to various parties. 
Variations are possible regarding data available to the various parties to a transaction, some 
of which are indicated in the table shown in Fig. 8. The table in Fig. 8 is meant to be 
exemplary. 

Referring to Figs. 3, 3A-3C, the user proxy software 1 14a extends a user's WWW 
browser to monitor, filter and reroute interactions between the browser and WWW servers 
(retailers R). The user proxy software 1 14a and/the proxy computer software 1 14b provide 
anonymizing transformations of these interactions to assure user's privacy, as briefly 
discussed above and in more detail below. 

Fig. 9 depicts the various protocol layers of IP packets processed by first party (user) 
computers, proxy party computers and second party computers. With the user proxy 
software 1 14a active, the proxy computer software 1 14a strips the user computer's IP address 
G' (Fig. 4) in cooperation with the user proxy software and substitutes the proxy computer's 
IP address (identifier A'), which redirects the messages to the respective destination WWW 
server (second party retailer computer 1 1 0). (The user computer's IP address G' is needed by 
the proxy computer. Therefore, stripping is performed by the proxy computer software.) 
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The TCP protocol layer does not present privacy risks and the proxy computer software does 
not intervene in its processing. The HTTP protocol layer has various header fields that 
provide identification of the soxirce browser system. The proxy computer software 1 14b 
replaces all information in these fields with headers that represent the proxy system that do 
not disclose private information about the customer's browser system. 

In addition, the proxy computer 108 monitors and filters private information in 
HTML documents. In particular, when a form is presented to the customer computer that 
includes identifying fields, the user can select a private channel mode on the customer 
computer brov/ser and have the respective fields filled with information that identifies the 
proxy system instead, and does not compromise the user's information. The proxy computer 
also protects the user's system.against access by Java agents to private data. 

For example, the HTTP header may be replaced and the header contents filtered. As 
part of the content filtering, the user proxy software and/or proxy computer software also 
removes private past history firom the content portion of the message to be transmitted to the 
designated WebPage. The level of filtering may be made user selectable. 
Content filtering may be accomplished as follows, for example. 
1 . Filtering cookie data: Various transactions with WWW servers deposit 

cookie data on user's PC's. This cookie data is used to simplify access by users to various 
services and to msdntain status of transactions between a WWW server and a browser. 
However, cookie data is often used to identify the user and correlate access to multiple 
services, thus compromising private data. The proxy software manages the cookie data to 
limit access to the data by external software. The proxy software allows access to cookies 
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only to the owner system that created it. Thus, a given WWW server can only access cookie 

data that it deposited but not other cookie data generated by others. 

2. Filtering data collected bv active coder Some web pages may include 

active code such as Java applets (or Java scripts), or Active X. This code may access various 

files and data of the user's computer. The proxy system creates a protective shell around the 

interpreters of these active procedures (e.g., a Java virtual machine) that routes all accesses to 

such data to respective anonymizing data sources. 

There are alternate means of accomplishing the filtering of communications at the various 
layers in the prptocol stack, from IP addresses on up to the HTTP layer and beyond. The 
filtering fimction that secures the user's private information can be implemented at the 
operating system layer, or as modules that are callable by existing operating system software, 
or as complete changes to the browser at the application level. For example, the client proxy 
software may be implemented as a completely new downloaded browser modified to filter 
and secure the user's private information, or as "plug in" software modules timt are directiy 
called by the user's browser to perform tiie filter function, or as direct revisions of the 
underlying operating system niodules (in the case of windows, rewriting and installing newer 
versions of Window's dynamic link library modules otherwise known as DLLs), or as device 
drivers that sit on top of the TCP/IP, software and filter the communications tiiat flow to and 
from the protocol processing software, or "packet sniffing" software packages tiiat capture 
communications packets that flow into and out of the PC client and that then may be used to 
filter the contents of those packets, or as wrapper technology, software that captures any 
interactions with the operating system modules that filters the communication between these 
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modules. The latter technique is the preferred embodiment since the wrapper technology 
allows access to user private information to filter it while communicating via a transport 
protocol such as TCP/IP, and as well allows access to the operating system's file system so 
that cookies and privacy compromising code such as cgi scripts, or Java code, etc., may be 
accessed and filtered. Robert Balzar of the University of Southern California Information 
Science Institute has made available information on Windows OS wrapper technology that 
intercepts Windows DLL calls. 

3. Re placing compromising procedures: With XML, information pages 
loaded by a server into a user PC may incorporate marks that activate compromising 
procedures. The meaning of such marks is defined by XSL and DTD files, processed by a 
local XML interpreter at the browser. The XSL files bind a mark to its meaning. The proxy 
system replaces compromising procedures defined by XSL files, with alternative XSL files 
that assign non-compromising procedures to retrieve anonymized data instead. This 
mechanism is not strictly necessary because the filtering described in 2 above will prevent 
access to compromising data anyway; the main purpose of replacing XSL libraries is to 
accelerate and simplify filtering whenever possible. 

The proxy system 1 12 (Figs. 3, 3A-3C) runs two protection algorithms, one for 
outgoing information and one for incoming information. The algorithm for outgoing 
information is illustrated in the flow chart depicted in Fig, 10. In step 10.1 the outgoing 
information to be sent by a browser, or any code activated by the browser, is captured and 
analyzed by the user proxy software 1 14a (Figs. 3, 3A-3C). This information is analyzed in 
step 10.2 to determine whether it includes private information; for example, user name and 
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password or a transaction form. If so, the private iirformation is replaced with proxy system 
information (step 10.3) and the entire data is sent to the proxy computer 108 (step 10.4) 
where it is fiirther processed. In step 5, all data is routed through the proxy computer 104 to 
hide the IP source address. Tunneling may be used to forward packets from the user proxy 
software 1 14a in the customer computers 1 06 to the proxy computer software 1 14b in the 
proxy computer 108. 

The flow chart in Fig. 1 1 illustrates the proxy system algorithm to handle incoming 
data arriving at a browser, or code activated by the browser. After accepting the data (step 
1 1.1), the user proxy software 1 14a (Figs. 3, 3A-3C) analyzes its contents to identify code 
that may be used to compromise the user private information. Such code pan include HT^ff. 
forms, or Java applets/scripts. If such code is found, the user proxy software 1 14a activates a 
protection wrapper to monitor and filter all interactions between this code and local resources 
(step 1 1 .3). The wrapper will, depending on privacy selection by the user, prevent code from 
accessing local resources that may compromise private information. Additionally, if such 
code requires user input of private information, the protection display activated in step 1 1 .4 
enables the user to enter proxy system data instead of private information. 

The proxy computer(s) 108 (Figs. 3, 3A-3C) perform two major fimctions. First, the 
. proxy computer route IP packets between customer computers 1 06 (proxy clients) and 
second party vendor computers 1 10 (WWW servers) via respective tunnels that hide the IP 
source identity. This fimction is performed at the network protocol layer by respective 
routers/switches. Upon activation of the user proxy software 1 14a, the proxy computer 
software 1 14b and user proxy software 1 14a authenticate each other and then establish a 
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tunnel between them. The proxy computer strips tiie source IP envelope produced by the 
user proxy software and forwards the intemal IP packets to the destination. This internal IP 
packet is configured with a proxy computer address as the source address- When an BP packet 
is returned to this source address, the proxy computer tunnels it to the respective user proxy 
software. 

Second, the proxy computer software 11 4b (Figs. 3, 3A-3C) interacts v^th the xiser 
proxy software 1 14a to privatize transactions between user computers 106 and respective 
transaction servers (second party vendor computers) 110. The user proxy software captures 
forms used by user computers to handle transactions. The fields of these forms are replaced 
by the user proxy software with data identifying the proxy computer as the transacting entity. 
The proxy computer uses this data to obtmn authorization from a respective credit card 
clearing service for the transaction amount and then to submit a respective privatized 
transaction to Ihe vendor computer, which sees only data identifying the proxy computer as 
the source of the transaction. 

The proxy computer algorithm that handles this credit processing is depicted in Fig. 
12. In step 12.1 the proxy computer obtains transaction data created by the user proxy 
software 1 14a (Figs. 3, 3A, 3B), and uses this data to extract the financial data needed to 
execute the transaction (step 12.2) and pursue clearing of the financial transaction with a 
credit card clearing entity (bank B, Fig. 4) (step 12.3). If the credit card entity approves the 
transaction (step 12,4) the proxy computer transacts on behalf of the user computer 106 with 
the retailer server 110 (step 12.5), the proxy computer becoming a proxy client to the retailer 
service. For example, the proxy computer will submit the transaction form of the retailer 
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filled with financial data and shipping address identifying the proxy computer as the client. 
In step 12.6 the proxy computer instructs the user proxy software on the transaction status 
(e.g., completed or denied) and the user proxy software presents the results to the respective 
user computer. 

A retailer transacting with a customer (user) through the proxy system will produce 
deliverable goods that need to be sent to the customers. In order to hide a customer's shipping 
address, the packaged goods are labeled with a code, preferably machine readable such as a 
bar code, that identifies a proxy authorized, associated or owned shipping facility as the 
delivery address. In a label-switching embodiment, the proxy system shipping depot scans 
these labels and produces respective labels with the destination address designated by the 
customer. The package is relabeled (or repackaged or wrapped) and then sent to the 
customer-designated address. In a first hop, the shipper delivers the package sent by the 
retailer.labeled with the unique session identifier #F to the proxy shipping depot 118 (Figs. 
3A-3B). The proxy shipping depot A, uses this session identifier to generate a label with the 
customer designated address, and the customer's name. In case of return, the proxy shipping 
depot A reverses the process and relabels the package with the respective identifier: This 
information is stored in the SAM database 119 (Fig. 3B), which may be located at the 
delivery facility. 

Fig. 13 illustrates label switching and depicts the sender (retailer), recipient 
(customer), shippers and two proxy system entities (Fig. 3B, proxy software 1 14 and proxy 
shipping depot 118) within the box who are responsible for protecting the private inforaiation 
of the recipient/customer by areating a privacy protection barrier separating the 
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sender/retailer from the recipient/customer. The proxy software brokers transactions 
between sender/retailer and recipient/ customer (e.g., for passing credit card payment) while 
protecting private information. The proxy shipping depot 118 performs label switching, and 
protects private information of the recipient/ customer through shipping and/or return. 



For example, a shipper may provide the proxy shipping depot functions and the proxy party 
may provide the other functions, or the proxy party may provide all of the functions. 

Referring to Fig. 13, a transaction with label-switched shipping proceeds as follows. 
A recipient/customer concludes a transaction with a sender/retailer using the proxy software. 
The proxy software generates a unique (session) identifier (#F) of the transaction and in step 
13.1 provides it to the sender/retailer and recipient/customer. In step 13.2, the proxy software 
provides the unique identifier and the respective recipient identity and shipping address to the 
proxy shipping depot 118. In step 13.3, a package containing the ordered good labeled with 
the unique identifier is delivered to the proxy shipping depot 1 18, where a new shipping label 
is generated with the identifier and address of the recipient/customer and applied to the 
package (or the package is repackaged or wrapped etc. with the new label). In step 13.4, the 
relabeled package is delivered via a shipper to the address designated by the 
recipient/customer. To retum a good while securing the recipient/customer's private 
information, in step 13.5, the pro^cy^ shippmg depot 118 reverses the process, replacing the 
label with a unique identifier and notifying the proxy software of the relabeled shipment. 

The.above steps may involve multiple different media for communications and/or 
label switching. Specifically, in step 13.1, handling a transaction that results in shipping may 
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be conducted electronically (indicated by broken lines) over a computer network such as the 
Internet. Alternatively, it may be handled via a telephone call for a catalogue order; a fax 
transmission of an order; or any other form of communications. Step 13.2 may be conducted 
through transmission of a message to the label-switching provider or by providing actual 
labels. In step 13.3, label-switching may too be handled in many ways. The unique identifier 
of a package may be coded in a bar code printed on a shipping label; alternatively it may be 
supplied as a number or a string of characters or any other form that uniquely identifies the 
package. The proxy shipping depot 1 18 will typically use special equipment to read the label 
and identify the recipient name and address. It may print this data on a new label to be placed 
on the package. Alternatively, it may provide the shipper with a file that can be used to 
generate the shipping address on a computer screen by scanning the label. This enables the 
shipper to deliver the package directly based on the original identifier. 

Label-switched shipping accomplishes the following: (a) two way privacy protection; 
(b) two-way verifiability through complete tracing of each shipping stage; (c) one-time per- 
shippmg privacy; and (d) full coordination and exchange of data with all entities participating 
in a transaction. Thus, label-switched privacy-protection accomplishes the primary goals 
identified above. There is, however, an extra cost in the transaction for handling the label 
switching. Such costs are scalable and are incurred per shipment not per recipient or sender 
as with the costs of POB-based techniques. The alternative method of delivery, depot pick- 
up, does not introduce additional costs and, in fact, can result in cost savings compared to 
current shipping. 
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One-time Virtual Mailbox (OVM) technique for privacy-protected shipping operates as 
follows. This technique is called one-time virtual mailbox because the OVM provider (e.g., 
the proxy shipping depot 118) functions as if a virtual mailbox has been opened and 
terminated for a package and the recipient must use a secret key to retrieve its contents. 
Referring to Fig. 14, step 14.1 is the same as step 13.1 described above for label-switched 
shipping. In steps 14.2 and 14.3, the sender/retailer ships the package via a shipper to the 
address of an OVM provider depot (e.g., the proxy shipping depot 118) with a unique 
identifier printed on the package. For example, OVM77432572980975, 10 Main Street, Any 
Town, USA 12345. The shipper (step 14.3) delivers the package to the OVM depot at the 
depot's address. The recipient claims the package (step 14.4) by providing the OVM depot 
with the unique session identifier #F on the package, and optionally other information such 
as the order number. Preferably, a second form of authorization is required, for example, 
secret information such as a biometric or a confidential code or password known to the 
recipient and the OVM provider. A return is accomplished in step 14.5, where the process is 
reversed and simplified. The recipient/customer ships the return packajge directly to the 
sender/retailer with the respective OVM delivery identifier. 

Tracking of the user's delivery is accomplished easily by the SAM database 119 (Fig. 3B) 
and the trans-shipper's tracking system. By providing a tracking number to the Retailer R that 
only reveals the depot address, or another proxy address, the user's true address is secured 
from the retailer, who cannot determine the true address from the tracking system. The true 
tracking number provided to the user provides the means of tracking the shipment. 
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The OVM and the proxy tracking number technique accomplishes privacy-prptected 
shipping, which may be implemented using various media, communications ajid transactions. 

Although the invention has been described and illustrated in connection with 
preferred embodiments, many variations and modifications, as will be apparent to those of 
skill in the art, may be made witihout departing fi-om the spirit and scope of the invention. 
The invention as set forth in the appended clams is thus not limited to the precise details of 
construction set forth above as such variations and modifications are intended to be included 
within the spirit and scope of the invention as set forth in the claims. 
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CLAIMS 

1 . A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for a delivery address to which the good can 
be delivered while securing said information of the first party with respect to the second 
party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 
providing information from the first device directed to the second device for 
communicating with the second device or to order a good while securing said information of 
the first party; and 

providing a delivery address to the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party. 

2. The method of claim 1 wherein the step of providing information from the first 
device directed to the second device while securing smd information comprises providing 
proxy identifying information specific to the first party or the first device but from which the 
second party can not determine said information. 

3, The method of claim 1 wherein the step of providing information from the first 
device directed to the second device while securing said information comprises the step of 
altering information from the first device directed to the second device while securing said 
information of the first party. 
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4. The method of claim 3 wherem the step of the first and second parties 
communicating with each other over the network comprises the first party using a.fifst 
computer and the second party using a isecond computer. 

5. The method of claim 4 wherein the step of altering said information from the 
first device comprises altering said information from the first computer using proxy software 
associated with the first computer or a proxy computer, or both. 

6. The method of claim 5 wherein the step of providing the delivery address 
comprises using the proxy software to provide the delivery address. 

7. The method of claim 4 wherein the step of providing the delivery address 
comprises using proxy software associated with a proxy computer. 

8. The method of claim 1, 2, 3, 4, 5, 6 or 7 including the step of providing for 
delivery of the good to the delivery address. . 

9. The method of claim 8 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 
the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

1 0. The method of claim 9 including the step of making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said informatioii of the first party to be revealed at the physical facility. 

1 1 . The method of claim 10 including the step of providing a physical address, 
which may not secure said information of the first party, designated by the first party to the 
physical facility but not to the second party, 
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12. The method of claim 1 1 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

13. The method of claim 7 wherein the good is an electronically transmittable file 
and the delivery address is an electronic address of a proxy computer, the step of providing 
for delivery of the good to the delivery address including the second party providing for 
electronic transmission of the file to the proxy computer. 

14. The method of claim 13 including the step of the proxy computer transmitting 
the file to an electronic address of the first party, which may not secure said information of 
the first party, which is available to the proxy computer but not to the second party. 

15. The method of clam 2 wherein the good is an electronicially transmittable file 
and the delivery address is an electronic address associated with the proxy identifying 
information of the first device, the step of providing for delivery of the good to the delivery 
address including the second party providing for electronic transmission of the file to the 
electronic address of the first device. 

16- The method of claim 3 wherein the step of altering information from the first 
device comprises altering at least a content protocol layer of the information. 

17. The method of claim 3 wherein the conunimications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 
computer, and the step of altering information from the first computer comprises altering at 
least a content protocol layer of the information. 
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1 8. The method of claim 1 7 wherein altering the information at least at a content 
layer comprises filtering cookie data, 

1 9. The method of claim 1 7 wherein altering the information at least at a content 
layer comprises filtering active code. 

20. The method of cMin 1 7 wherein altering the information at least at a content 
layer comprises filtering compromising procedures. 

2 1 . The method of claim 1 wherein the communications network is the Internet 
and the identifying information is an identity associated with the first party, and wherein the 
step of providing identifying information specific to the first party or the first device but firom 
which the second party can not determine said information comprises providing a proxy 
identity for the first party. 

22. A method for a first party using a first device to order a good from a second 
party using a second device oyer a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the fiurst 
party or the first device, the method providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 

providing information from the first device directed to the second device for 
communicating with the second device or to order a good while securing said information of 
tiie first party; 
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providing for approval or disapproval of the purchase of the good by the first party 
from the second party based on financial information relating to the first party, and if the 
purchase is approved, providing for payment to the second party while securing said 
information of the first party with respect to the second party; and 

providing a delivery address to the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party. 

23. The method of claim 22 wherein the step of providing for approval or 
disapproval comprises another party providing for approval or disapproval of the purchase 
based on financial information relating to the first party, and wherein the step of providing 
for payment if the purchase is approved comprises the other party providing for payment to 
the second party and providing for debiting of the first party. 

24. The method of claim 23 wherein the step of providing for approval or 
disapproval comprises the other party being a third party who approves or disapproves of the 
purchase based on financial information relating to the first party, and wherein the step of 
providing for payment if the purchase is approved comprises the third party paying the 
second party and debiting the first party. 

25. The method of claim 23 wherein the step providing for approval or disapproval 
comprises the other party arranging with at least a third party to provide for approval or 
disapproval of the purchase based on the financial information relating to the first party, and 
wherein the step of providing for payment comprises the other party arranging with at least 
the third party to provide for payment to the second party and debiting of the first party* 
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26. The method of claim 23 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer, and wherein the step of providing 
for approval or disapproval comprises the other party being a proxy party and using proxy 
software assiociated with the fiirst computer or a proxy computer, or both, and wherein the 
step of providing for paynient if the purchase is approved comprises the proxy party using 
the proxy software to provide for payment to the second party and debiting of the first party. 

27. The method of claim 26 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with at least a third party to provide for 
approval or disapproval of the purchase based on the financial information relating to the first 
party, and wherein the step of providing for payment comprises the proxy party arranging 
with the third party to provide for payment to the second party and debiting of the first party. 

28. The method of claim 27 wherein the step of providing for approval or 
disapproval comprises the thhrd party using a third computer communicating with the proxy 
computer to approve or disapprove the purchase based on financial information relating to 
the first party avmlable to the third party, and wherein the step of providing for payment if 
the purchase is approved comprises the third party electronically crediting the second party 
and electronically debiting the first party. 

29. The method of claim 28 wherein the step of debiting includes debiting a credit 
card account of the fibrst party. 

30. The method of claim 28 or 29 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in purchases in which the third 
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party also participates. 

3 1 • The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party participates. 

32. The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

33. The method of claim 30 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party to participate in 
purchases made by first parties from second parties. 

34. The method of claim 26 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with a third party using a third computer to 
provide for approval or disapproval of the purchase based on financial information relating to 
the first party and a fourth party using a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy party, 
wherein the step of providing for payment to the second party includes the fourth party 
electronically crediting an account of the second party and electronically debiting an account 
of the proxy party, and the third party electronically crediting an account of the proxy party 
and electronically debiting an account of the first party. 

35. The method of claim 34 wherein the step of debiting the account of the first 
party includes debiting a credit card account of the first party. 
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36. The method of claim 34 or 35 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in purchases in which the third 
party or the fourth party also participates. 

37. The method of claim 36 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party or the fourth party participates. 

38. The method of claim 36 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase fi-om a 
second party. 

39. The method of claim 36 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the thkd party or the fourth party 
to participate in purchases made by first parties fi-om second parties. 

40. The method of claim 28 wherein the step of providing for payment to the 
second party comprises the third party assuming all responsibility and financial liability for 
paying the second party and collectmg fi-om the first party, and including the step of the third 
party paying a fee to the proxy party. 

41. The method of claim 28 wherem the proxy party receives information 
concerning transactions between first parties and second parties including said information of 
the first party, the method including the step of the proxy party providing certain of said 
information of the first party to the third party beyond information required by the third party 
to cany out the approval and disapproval step and the payment step. 
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42. The method of claim 28 wherein the proxy party associated with the proxy 
software and the first party both have accounts with the third party, and wherein the step of 
providing payment to the second party includes the proxy software providing the second 
party with information of the proxy party's account with the third party, and if the third party 
authorizes payment, the third party paying the second party and debiting the first party. 

43 . The method of claim 42 wherein the step of providing payment includes the 
third party electronically debiting a credit card account of tiie first party. 

44. The method of claim 42 or 43 comprising the step of the third party providing 
payment of a fee to the proxy party. 

45. The method of claim 22 wherein the step of providing information fi-om the 
first device directed to the second device while securing said information comprises 
providing identi^g information specific to the first party or the first device but firom which 
the second party can not determine said information. 

46. The method of claim 22 wherein the step of providmg information fi-om the 
first device directed to the second device while securing said mformation comprises the step 
of altering information fi-om the first device directed to the second device. 

47. The method of claim 46 wherem the step of altering information firom the first 
device comprises altering at least a content protocol layer of said information. 

48. The method of claim 46 wherein the step of the first and second parties 
coirununicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer. 
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49. The method of claim 48 wherein the step of altering information from the first 
device comprises altering said information from the first computer using proxy soJEbvare 
associated with the first computer or a proxy computer, or both. 

50. The method of claim 46 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 
computer, and the step of altering information from the firet computer comprises altering at 
least a content protocol layer the information. 

51. The method of claim 50 wherein altering information at least at a content layer 
comprises filtering cookie data. 

52. The method of claim 50 wherein altering information at least at a content layer 
comprises filtering active code. 

53. The method of claim 50 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 

54. The method of claim 26 wherein the step of providing thie delivery address 
comprises using the proxy software. 

55. The method ofclaim 22 wherein the step of providing the delivery address 
comprises using proxy software associated with a proxy computer. 

56. The method of claim 22, 54 or 55 including the step of providing for delivery 
of the good to the delivery address. 

57. The method of claim 56 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 
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the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

58. The method of claim 57 including the step of making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

59. The method of claim 57 including the step of providing for the shipment of the 
good firom the physical facility to a physical address, which may not secure said information 
of the first party, designated by the first party which is made available at the physical facility 
but not to the second party. 

60. The method of claim 56 wherein the good is an electronically transmittable file 
and the delivery address is an electronic address of a proxy computer, the step of providing 
for delivery of the good to the delivery address including the second party providing for 
electronic transmission of the file to the proxy computer. 

61. The method of claim 60 including the step of the proxy computer transmitting 
the file to an electronic address of the first party which is available at the proxy computer but 
not to the second party. 

62. The method of clam 45 wherein the good is an electronically transmittable file 
and the delivery address is an electronic address associated with the identifying information 
of the first device, which may not secure said information of the first party, and wherein the 
step of providing for delivery of the good to the delivery address includes the second party 
providing for electroiuc transmission of the file to the electronic address associated with the 
identifying information of the first device. 
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63. The method of claim 45 wherein the communications network is the Internet 
and the identifying information is an identity associated with the first party, and wherein the 
step of providing identifying information specific to the first party or the firet device from 
which the second party can not determine said information comprises providing a proxy 
identity for the first party. 

64. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing payment to the second party while securing 
said information of the first party with respect to the second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 

providing information from fee first device directed to the second device for 
communicating with the second device or to order a good while securing said information of 
the first party; and 

another party providing for approval or disapproval by at least a third party of the 
purchase of the good by the first party from the second party based on financial infonnation 
relatingtothefirstparty accessible by the thhrd party, and if the purchase is approved, 
providing for payment to the second party while securing said information of the first party 
with respect to the second party. 

65. The method of claim 64 wherein the step of providing for payment if the 
purchase is approved comprises the other party providing for debiting of the first party. 
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66. The method of claim 65 wherein the step of providing for approval or 
disapproval comprises the other party being a third party who approves or disapproves of the 
purchase based on financial information relating to the first party, and wherein the step of 
providing for payment ijf the purchase is approved comprises the third party paying the 
second party and debiting the first party. 

67. The method of claim 64 wherein the step providing for approval or disapproval 
comprises arranging with at least a third party to provide for approval or disapproval of the 
purchase based on the financial information relating to the first party, and wherein the step of 
providing for payment comprises the other party arranging with at least the third party to 
provide payment to the second party and debiting of the first party. 

68. The method of claim 67 wherein the step of the first and second parties 
communicatihg with each other over the network comprises the first party using a first 
computer and the second party using a second computer, and wherein the step of providing 
for approval or disapproval comprises the other party being a proxy party and using proxy 
software associated with the first computer or a proxy computer, or both and wherein the step 
of -providing for payment if the purchase is approved comprises the other party using the 
proxy software to provide for payment to the second party and debiting of the first party. 

69. The method of claim 68 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with a third party to provide for approval or 
disapproval of the purchase based on the financial information relating to the first party, and 
wherein the step of providing for payment comprises the proxy party arranging with a thurd 
party to provide for payment to the second party and debiting of the first party. 
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or 



70. The method of claim 69 wherein the step of providing for approval 
disapproval comprises the third party using a third computer communicating with the proxy 
computer to approve or disapprove the purchase based on financial information relating to 
the fu^t party available to the third party, and wherein the step of providing for payment if 
the purchase is approved comprises the third party electronically crediting the second party 
and electronically debiting the first party. 

71. The method ofclaim 70 wherein the step of debiting the account of the fii5t 
party includes debiting a credit card account of the first party. 

72. The method of claim 70 or 7 1 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in purchases in which the third 
party also participates. 

73. The method of claim 72 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party participates. 

74. The method of claim 72 wherein the step of providmg for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

75. The method of claim 72 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party to participate in 
purchases made by first parties from second parties. 

76. The method of claim 68 wherein the step of providing for approval or 
disapproval comprises the proxy party arranging with a third party using a third computer to 
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provide for approval or disapproval of the purchase based on financial information relating to 



the first party and a fourth party using a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy party, 
wherein the step of providing for payment to the second party includes the fourth party 
electronically crediting an account of the second party and electronically debiting an account 
of the proxy party, and the third party electronically crediting an account of the proxy party 
and electronically debiting an account of the first party. 

77. The method of claim 76 wherein the step of debiting the accoimt of the first 
party includes debiting a credit card account of the first party. 

78. The method of claim 76 or 77 comprising the step of providing for payment of 
a fee to the proxy party for the proxy party's participation in pxirchases in which the third 
party or the fourth party also participates. 

79. The method of claim 78 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each purchase by a first party from a 
second party in which the third party or the fourth party participates. 

. 80. The method of claim 78 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

8 1 . The method of claim 78 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party or the fourth party 
to participate in purchases made by first parties from second parties. 
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82. The method of claim 70 wherein the step of providing for payment to the 
second party comprises the third party assuming all responsibility and financial liability for 
paying the second party and collecting from the first party, and including the step of the third 
party paying a fee to the proxy party. 

83. The method of claim 82 wherein the proxy party receives information 
conceming transactions between first parties and second parties including said information of 
the first party, the method including the step of the proxy party providing certain of said 
information of the first party to the third party beyond information required by the third party 
to carry out the approval and disapproval step and the payment step. 

84. The method of claim 70 wherein the proxy party and the first party both have 
accounts with the third party, and wherein the step of providing payment to the second party 
includes the proxy software providing the second party with information of the proxy party's 
account with the third party, and if the third party authorizes payment, the third party paying 
the second party and debiting the first party. 

85. The method of claim 84 wherein the step of providing payment includes the 
third party electronically debiting a credit card account of the first party. 

86. The method of claim 84 or 85 comprising the step of the third party providing 
payment of a fee to the proxy party. 

87. The method of claim 64 wherein the step of providing information from the 
first device directed to the second device while securing said information comprises ^ 
providing identifying information specific to the first party or the first device but from which 
the second party can not determine said information. 
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88. The method of claim 64 wherein the step of providing information from the 
first device directed to the second device while securing said information comprises the step 
of altering information from the first device directed to the second device. 

89. The method of claim 88 wherein the step of altering said information from the 
first device comprises altering at least a content protocol layer of said information. 

90. The method of claim 88 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer. 

91 . The method of claim 90 wherein the step of altering said information from the 
first device comprises altering said information from the first computer using proxy software 
associated with the first computer or a proxy computer, or both. . 

92. The method of claim 88 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the firet party using a first computer and the second party using a second 
computer, and the step of altering said information from the first computer comprises altering 
at least a content protocol layer said information. 

93. The method of claim 92 wherein altering said information at least at a content 
layer comprises filtering cookie data. 

94. The metiiod of claim 92 wherein altering said information at least at a content 
layer comprises filtering active code. 

95. The method of claim 92 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 
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96. The method of claim 87 wherein the communications network is the Internet 
and the identifying information is an identity associated with.the first party, and wherein the 
step of providing identifying information specific to the first party or the first device from 
which the second party can not determine said information comprises providing a proxy 
identity for the first party. 

97. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network Unking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing payment to the second party while securing 
said information of the first party with respect to the second party, comprising the steps of: 

the first and second parties commimicating over the network using respective devices; 

altering said information from the first device directed to the second device to prevent 
the second party from determinmg said information of the first party; and 

providmg for approval or disapproval of the purchase by a first party from a second 
party based on (a) an account that the first party has with a third party and (b) an account that 
a proxy party has with a fourth party while securing said information with respect to the 
second party, the third party approving or disapproving the purchase based on account 
information relating to the first party, and the fourth party approving or disapproving the 
purchase based on and account information relating to the proxy party with the fourth party, 
and if the third and fourth parties approve the purchase, the fourth party electronically 
crediting the second party and electronically debiting the projty party, and the third party 
electronically crediting the account of the proxy party and electronically debiting the first 
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98. The method of claim 97 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party vising a first 
computer, the second party using a second computer and the proxy party using a proxy 
computer, and wherein the step of the third party approving or disapproving the purchase 
comprises the third computer communicating with the proxy computer, and wherein the step 
of the fourth party approving or disapproving the purchase comprises a fourth computer 
communicating with the proxy computer and the second computer. 

99. The method of claim 98 wherein the step of debiting the first party comprises 
debiting a credit card account of the first party. 

1 00. The method of claim 98 or 99 wherein the step of debiting the proxy party 
comprises debiting a credit card account of the proxy party. 

101. The method of claim 1 00 including the ste;p of providing for payment of the 
fee to the proxy party. 

102. The method of claim 101 wherein the step of providing for payment of a fee to 
the proxy party comprises payment of a fee for each purchase by a first party from a second 
party in which the third party or the fourth party participates. 

1 03. The method of claim 101 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for each first party enabled to purchase from a 
second party. 

1 04. The method of claim 101 wherein the step of providing for payment of the fee 
to the proxy party comprises payment of a fee for enabling the third party or the fourth party 
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to participate in purchases made by first parties from second parties. 

1 05. The method of claim 97 wherein the step of altering said information from the 
first device comprises altering at least a content protocol layer of said information. 

1 06. The method of claim 97 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer, 

107. The method of claim 105 wherein the step of altering said information from 
, the first device comprises altering said information fi^om the first cornputer using proxy 

software associated with the first computer or a proxy computer, or both. 

1 08. The method of claim 97 wherein the communications network is the Internet, 
the step of the first and second parties communicating with each other over the network 
comprises the first party using a first computer and the second party using a second 
computer, and the step of altering said information from the first computer comprises altering 
at least a content protocol layer said information. 

1 09. The method of claim 1 08 wherein altering said information at least at a content 
layer comprises filtering cookie data. 

110. The method of claim 1 08 wherein altering said information at least at a content 
layer comprises filtering active code. 

111. The method of claim 108 wherein altering said information at least at a content 
layer comprises filtering compromising procedures. 

1 12. A system for a first party using a first computer to order a good from a second 
party using a second computer over a communications network linking the first and second 
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computers, the first party having information of a personal or private nature specific to the 
first party or the first computer, the system providing for a delivery address to which the 
good can be delivered while securing said information of the first party with respect to the 
second party, comprising: 

the first computer having proxy identifying information which does not reveal said 
information of the first party; 

the first computer having software which 

alters information from the first computer directed to the second computer to prevent 
the second party firom determining said information of the first party, and 

provides a delivery address to the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party. 

113. The system of claim 1 12 comprising a delivery means for delivering the good 
to the delivery address. 

114. The system of claim 113 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

115. The system of claim 114 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 

) require said information of the first party to be revealed at the physical facility. 

1 16. The system of claim 1 14 including means for physically shipping the good 
fi-om the nhvsical facility to a physical address designated by the first party which is made 
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available at the physical facility but not to the second party. 

1 17. The system of claim 1 16 including a database storing the physical address 
designated by the first party, at least part of said information of the first party, or information 
relating to the purchase by the first party, or both, and means for accessing the database using 
infonnation relating to the purchase or said information of the first party stored in the 
database to obtain the physical address of the first party to which the good is to be shipped. 

118. The system of claim 1 12 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address associated vdth the proxy identifying 
information of the first computer which does not reveal said information, and wherein the 
delivery means comprises means for electronically transmitting the file to the first computer. 

119. The system of claim 1 1 5 including means for providing a first label for 
association with the good, the first label havmg the delivery address and unique information 
relating the good and the first party from which, a physical address designated by the first 
party to which the good is to be reshipped can be identified, and means for providing a 
second label ttiat has the physical address designated by the first party and which can replace 
the first label. 

120. The system of clahn 1 1 9 wherein th? means for providing a second label 
includes a database mapping the unique infonnation and the physical address designated by 
the first party. 

121. The system of claim 1 19 mcluding means for providing a label for association 
with the good, the label having the delivery address and unique information relating the good 
and the first party, and wherein the first computer software provides the unique information 
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to the second party. 

122. The system of claim 1 12 wherein the first computer software alters at least a 
content protocol layer of the information. 

123. The system of claim 1 12 wherein the network is the Internet and the first 
computer software alters at least a content protocol layer of the information. 

124. The system of claim 123 wherein the first computer software filters cookie 

data. 

125. The system of claim 123 wherein the first computer software filters active 

code. 

126. The system of claim 123 wherein the first computer software filters 
compromising procedures. 

127. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the fust and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for a delivery address to which the good can be 
delivered while securing said information of the first party with respect to the second party, 
comprising: 

a proxy device altering said information from the first device directed to the second 
device to prevent the second party from determining said information of the first party; and 

the proxy device providing a delivery address to the second party to which the good is 
to be delivered, the delivery address not enabling flie second party to determine said 
information of the first party. 
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1 28. The system of claim 127 wherein the first device comprises a first computer 
and the second device comprises a second computer, 

129. The system of claim 127 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both, which alters information from the first computer. 

130. The system of claim 129 v^'herein the proxy software provides the delivery 
address to the second party. 

131. The system of claim 127, 128, 129 or 130 comprising a delivery means for 
delivering the good to the delivery address. 

132. The system of claim 131 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

133. The system of claim 132 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

134. The system of claim 132 including means for physically shipping the good 
from the physical facility to a physical address designated by the first party which is made 
available at the physical facility but not to iJie second party. 

135. The system of claim 13 1 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, and wherein the 
delivery means comprises means for electronically transmitting the file to the proxy 
computer. 
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136. The system of claim 1 35 including means for transmitting the file to an 
electronic address of the first party which is available at the proxy computer but not to the 
second party. 

1 37. The system of claim 1 27 wherein the proxy device either redirects the good to 
a physical address designated by the first party using a proxy party who does not provide the 
second party with access to the address designated by the first party, or allows the good to be 
picked up by or on behalf of the first party anonymously. 

138. The system of claim 137 including a database storing the physical address 
designated by the first party, at least part of said information of the first party, or information 
relating to the purchase by the first party, or both, and means for accessing the database iising 
information relating to the purchase or said information of the first party stored in the 
database to obtain the physical address of the first party to which the good is to be shipped. 

139. The system of claim 137 including means for providing a first label for 
association with the good, the first label having the delivery address and unique information 
relating the good and the first party with which the proxy party at the delivery address can 
identify a physical address designated by the first party to which the good is to be reshipped, 
and means for providing a second label tiiat has the address designated by the first party and 
which can replace the first label. 

140. The system of claim 139 wherein the means for providing a second label 
includes a database mapping the unique information and the physical address designated by 
the first party. 

98 

BNSOOaO: <WO 0108066A1 IA> 



wo 01/008066 

" PCT/USOO/19888 

141. The system of claim 139 including means for providing a label for association 
with the good, the label having the delivery address and unique information relating the good 
and the first party, and wherein the proxy software provides the unique information to the 
second party. 

142. The system of claim 127 wherein the proxy device alters at least a content 
protocol layer of said information. 

143. The system of claim 127 wherein the communications network is the Internet, 
the first device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 
content protocol layer of said information. 

144. The system of claim 143 wherein the proxy software filters cookie data. 

145. The system of claim 143 wherein the proxy software filters active code. 

146. The method of claim 143 wherein the proxy software filters compromising 
procedures. 

147. A system for a first party using a first device to order a good firom a second 
party using a second device over a conununications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

the first computer having identifying information vv^ch does not reveal said 
information of the first party; 
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the first computer having software which 

alters information from the first computer directed to the second computer to prevent 
the second party from determining said information of the first party, and 

provides a delivery address to- the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party; and 

a third party computer providing for approval or disapproval of the purchase of the 
good by the first party from the second party based on financial information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
securing said information of the first party with respect to the second party. 

148, A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; 

the proxy device providing for approval or disapproval of the purchase of the good by 
the first party from the second party based on financial information relating to the first party, 
and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party; and 
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the proxy device providing a delivery address to the second party to which the good is 
to be delivered, the delivery address not enabling the second party to determine said 
information of the first party. 

149. The system of claim 148 wherein the first device comprises a first computer 
and the second device comprises a second computer. 

150. The system ofclaim 149 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both for providing for approval or disapproval of the purchase based on financial information 
of the first party, and if the purchase is approved, for providing for payment to the second 
party and debiting of the first party. 

151. The system ofclaim 150 comprising at least a third computer communicating 
with the proxy computer for approving or disapproving the purchase based on financial 
information of the first party available to the third party, and if the purchase is approved, for 
electronically crediting the second party and electronically debiting the first party. 

152. The system of claun 151- comprising the thu-d computer providing for 
payment of a fee to the proxy computer for the proxy computer's participation in purchases in 
which the third computer also participates. 

153. The system ofclaim 151 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 
computer. 

154. The system of claun 151 comprismg the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
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made by first computers from second computers. 

155. The system of claim 1 47 comprising a third computer communicating with the 
proxy computer to provide for approval or disapproval of the purchase based on financial 
information relating to the first party and a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy computer, 
and if the purchase is approved, the fourth computer electronically crediting of the second 
party and electronically debiting the proxy computer, and the third computer electronically 
crediting the proxy computer and electronically debiting of the first party. 

156. The system of claim 155 wherein the third computer debits a credit card 
account of the first party. 

157. The system of claim 155 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for he proxy 
computer's participation in purchases in which the third computer or the fourth computer also 
participates. 

158. The system of claim 1 55 comprising the third computer or the fourth 
computer, or both, providing for payment of the fee to the proxy computer for each purchase 
by a first party from a second party in which the third party or the fourth party participates, 

159. The system of claim 155 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 
computer, 

160. The system of claim 1 55 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
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made by first computers from second computers. 

161. The system of claim 155 comprising the fourth computer providmg for 
payment of a fee to the proxy computer for enabling the fourth computer to participate in 
purchases made by first computers from second computers. 

162. The system of claim 151 wherein a proxy computer receives information 
concerning transactions between first parties and second parties including said mformation of 
the first party, the proxy computer providing certain of said information of the first party to 
the third computer or the fourth computer, or both, beyond information required to provide 
for approval and disapproval of the purchase. 

1 63 . The system of claim 148 wherein the proxy device alters at least a content 
protocol layer of said information. 

1 64. The method of cl^m 148 wherein the communications network is tiie Internet, 
the first device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 
content protocol layer of the information. 

1 65. The system of claim 1 64 wherein the proxy software filters cookie data. 

166. The system of claun 164 wherein the proxy software filters active code. 

1 67. The system of claim 1 64 wherein the proxy software filters compromising 
procedures. » ' 

1 68- The system of claim 149 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both, which altws said information from the first computer. 
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169. The system of claim 168 wherein the proxy software provides the delivery to 
the second party. 

170. The system of cl^m 148, 149, 168 or 169 comprising a delivery means for 
delivering the good to the delivery address. 

171. The system of claim 1 70 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the delivery means comprises means 
for physically shipping the good to the physical facility. 

172. The system of claim 170 including means for making the good available at the 
physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

1 73 . The system of claim 1 70 including means for physically shippmg the good 
from the physical facility to a physical address designated by the first party which is made 
available at the physical facility but not to the second party. 

1 74. The system of claim 1 73 including a database storing the physical address 
designated by the first party, at least part of said information of the first party, or information 
relatmg to the purchase by the first party, or both, and means for accessing the database using 
information relating to the purchase or said information of the first party stored in the 
database to obtain the physical address of the first party to which the good is to be shipped. 

175. The system of claim 1 69 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, and wherein the 
delivery means comprises means for electronically transmitting the file to the proxy 
computer. 
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176. The system of claim 175 including means for transmitting the file to ; 
electronic address of the first party which is available at the proxy computer but not to the 
second party. 

1 77. The system of claun 148 wherein the proxy device either redirects the good to 
an address designated by the first party using a proxy party who does not provide the second 
party with access to the address designated by the first party, or aUows the good to be picked 
up by or on behalf of the first party anonymously. 

178. The system of claim 177 including means for providing a first label for 
association with the good, the first label having the delivery address and unique information 
relating the good and the first party with which the proxy party at the delivery address can 
identify an address designated by the first party to which the good is to be reshipped, and 
means for providing a second label that has the address designated by the first party and 
which can replace the first label. 

179. The system of claim 178 wherein the means for providing a second label 
includes a database mapping the unique information and the address designated by the first 
party. 

180. The system of claim 178 including means for providing a label for association 
with the good, the label having the delivery address and unique infonnation relating the good 
and the first party, and whereiii the proxy software provide the unique mformation to the 
second party. 

181. A system for a first party using a first device to order a good fi-om a second 
party using a second device over a communications network linking the first and second 
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devices, the first party having information of a personal or private nature specific to the first 



address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

the first computer having identifying information which does not reveal said 
information of the first party; 

the first computer having software which alters information from the first computer 
directed to the second computer to prevent the second party from determining said 
information of the first party; and 

a third party computer providing for approval or disapproval of the purchase of the 
good by the first party from the second party based on financial information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
securing said information of the first party with respect to the second party. 

1 82. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for pa3mient to the second party and a delivery 
address to which the good can be delivered while secviring said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining smd information of the first party; 



party or the first device, the system providing for payment to the second party and a delivery 
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the proxy device providing for approval or disapproval of the purchase of the good by 
the first party from the second party based on financial information relating to the first party, 
and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party. 

1 83 . The system of claim 1 82 wherein the first device comprises a first computer 
and the second device comprises a second computer. 

1 84. The system of claim 1 83 wherein the proxy device comprises a proxy 
computer arid proxy software associated with the first computer or the proxy computer, or 
both for providing for approval or disapproval of the purchase based on financial information 
of the first party, and if the purchase is approved, for providing for payment to the second 
party and debiting of the first party. 

1 85. The system of claim 1 84 comprising at least a third computer communicating 
with the proxy computer for approving or disapproving the purchase based on financial 
information of the first party available to the third party, and if the purchase is approved, for 
electronically crediting the second party and electronically debiting the first party. 

1 86. The system of claim 185 comprising the third computer providing for payment 
of a fee to the proxy computer for the proxy computer's participation in purchases in which 
the third computer also participates. 

187. The system of claim 1 85 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 
computer. 
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1 88. The system of claim 1 85 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
made by fu'st computers from second computers. 

189. The system of claim 184 comprising a third computer communicating with the 
proxy computer to provide for approval or disapproval of the purchase based on financial 
information relating to the first party and a fourth computer to provide for approval or 
disapproval of the purchase based on financial information relating to the proxy computer, 
and if the purchase is approved, the fourth computer electronically crediting of the second 
party and electronically debiting the proxy computer, and the third computer electronically 
crediting of the proxy computer and electronically debiting of the first party. 

190. The system of claim 189 wherein the third computer debits a credit card 
account of the first party. 

191. The system of claim 1 89 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for he proxy 
computer's participation in purchases in which the thu-d computer or the fourth computer also 
participates. 

1 92- The system of claim 1 89 comprising the third computer or the fourth 
computer, or both, providing for payment of the fee to the proxy computer for each purchase 
by a first party from a second party in which the third party or the fourth party participates. 

1 93 . The system of claim 1 89 comprising the third computer providing for payment 
of a fee to the proxy computer for each first computer enabled to purchase from a second 
computer. 
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1 94. The system of claim 1 89 comprising the third computer providing for payment 
of a fee to the proxy computer for enabling the third computer to participate in purchases 
made by first computers from second computers. 

195. The system of claim 189 comprising the fourth computer providing for ' 
payment of a fee to the proxy computer for enabling the fourth computer to participate in 
purchases made by first computers from second computers. 

1 96. The system of claim 1 95 wherein a proxy computer receives information 
concerning transactions between first parties and second parties mcluding said infonnation of 
the first party, the proxy computer providing certain of said information of the first party to 
the third computer or the fourth computer, or both, beyond information required to provide 
for approval and disapproval of the purchase. 

197. The system of claim 182 wherein the proxy device alters at least a content 
protocol layer of the information. 

1 98. The system of claim 1 82 wherein the communications network is the Internet, 

the fu-st device comprises a first computer and the second device comprises a second 
computer, and wherein the proxy device comprises proxy software which alters at least a 
content protocol layer of said mformation. 

1 99. The system of claim 1 98 wherein the proxy software filters cookie data. 

200. The system of claim 1 98 wherein the proxy software filters active code. 

20 1 . The system of claim 1 98 wherein the proxy software filters compromising 
procedures. 
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202. The system of claim 1 83 wherein the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, or 
both, which alters information from the first computer. 

203. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; 

at least a third device communicating with the proxy device for approving or 
disapproving the purchase based on financial information of the first party available to the 
third device, and if the purchase is approved, for electronically crediting the second party and 
electronically debiting the first party and electronically crediting the proxy device with a 
transaction fee. 

204. The system of claim 203 wherein the first device comprises a first computer, 
the second device comprises a second computer, the proxy device comprises a proxy 
computer and proxy software associated with the first computer or the proxy computer, and 
the third device comprises a third computer, the proxy software and the third computer 
cooperating to provide for approval or disapproval of the purchase based on financial 
information of the first party, and if the purchase is approved, the third computer for 
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providing for payment to the second pJirty and debiting of the first party. 

205. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the firet 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good can be delivered while securing said information of the first party 
with riespect to the second party, comprising: 

a proxy device altering information fi-om the first device directed to the second device 
to prevent the second party from determining said information of the first party; and 

(a) a third device communicating with the proxy device to provide for approval or 
disapproval of the purchase based on financial information relating to the first party, and if 
the purchase is approved, the third device electronically crediting the second party and 
electronically debiting the first party; and 

(b) a fourth device communicating with the proxy device to provide for approval or 
disapproval of the purchase based on financial information relating to the first party, and a 
fifth device to provide for approval or disapproval of the purchase based on financial 
information relating to the proxy device, and if the purchase is approved, the fifth device 
electronically crediting the second party and electronically debiting the proxy device, and the 
fourth device electronically crediting the proxy device and electronically debiting the first 
party; 

the system being configurable for operation with (a) or with (b). 
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206. The system of claim 205 wherein the first device comprises a first computer, 
the second device comprises a second computer, the third device comprises a third computer, 
the fourth device comprises a fourth computer, the fifth device comprises a fifth computer, 
and the proxy device comprises a proxy computer and proxy softv/are associated with the 
first computer or the proxy computer, the proxy software cooperating at least with the third 
computer to approve and disapprove the purchase. 

207. The system of claim 206 comprising the third computer or the fourth 
computer, or both, providing for payment of a fee to the proxy computer for the proxy 
computer's participation in purchases in which the third computer or the fourth computer also 
participates. 

208. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private natxire specific to the first 
party or the first device, the system providing for payment to the second party and a delivery 
address to which the good c£ui be delivered while securing said information of the first party 
with respect to the second party, comprising: 

a proxy device altering information firom the first device directed to the second device 
to prevent the second party fi-om determining said information of the first party; 

at least a third device conmiunicating with the proxy device for approving or 
disapproving the purchase based on financial information of the first party available to the 
third device, and if the purchase is approved, for electronically crediting the second party and 
electronically debiting the first party while securing said information of the first party with 
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respect to the second party; 

and wherein the system is configurable to provide certain of said information of the 
first party to the third device beyond information required to provide for approval and 
disapproval of the purchase. 

209. The system of claim 208 wherein the proxy device provides for a delivery 
address to the second party while securing said information of the first party, and including 
means including a shipping device for providing for delivery of the good to the delivery 
address, and wherein the system is configurable to provide certain of said information of the 
first party to the shipping device beyond information requu-ed to provide for delivery of the 
good to the delivery address. 

210. In a communications system using the Internet which includes client 
computers that access the Internet and transmit and receive messages, the client computers 
and users thereof having information of a personal or private nature specific to a respective 
user or respective client computer, server computers coupled to the Internet accessible by the 
client computers for electronic exchange of information, and at least one proxy computer 
coupled to tile network which receives and transmits messages over the network and 
communicates with client computers and server computers over the Internet, and proxy 
software associated witii tiie client computers, tiie proxy computer or botii, tiie metiiod of 
securing said information witii respect to server computers comprising tiie steps of examining 
messages of client computers to be transmitted to server computers and messages received 
fr-om server computers and altering at least a content protocol layer of the messages to 
prevent server computers from obtaming said information. 
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211. The method of claim 210 comprising the steps of altering the network protocol 
layer and the transport protocol layer to prevent server computers from obtaining said 
information. 

212. The method of claim 210 wherein altering said information at least at a content 
layer comprises filtering cookie data. 

213- The method of claim 210 wherein altering said information at least at a content 
layer comprises filtering active code. 

214. The method of claim 210 wherein altering said infonnation at least at a content 
layer comprises filtering compromising procedures. 

215. In a communications system using the Internet which includes client 
computers that access the Internet and transmit and receive messages, the client computers 
and users thereof having information of a personal or private nature specific to a respective 
user or respective client computer, server computers coupled to the Internet accessible by the 
client computers for electronic exchange of information, the improvement comprising at least 
one proxy computer coupled to the network which receives and transmits messages over the 
network and communicates with client computers and server computers over the Internet, 
and proxy software associated with the client computers, the proxy computer or both, the 
proxy software examining messages of client computers to be transmitted to server 
computers and messages received from server computers and altering at least a content 
protocol layer of the messages to prevent server computers from obtaining said information. 

216. The system of claim 215 wherein the proxy software alters the network 
protocol layer and the transport protocol layer to prevent server computers from obtaining 
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said information. 

217. The system of claim 215 wherein the proxy software filters coolcie data, 

218. The method of claim 215 wherein the proxy software filters active code. 

219. The method of claim 215 wherein the proxy softvyare filters compromising 
procedures. 

220. A method for providing a database of a first party's transactions using a first 
device with a second party using a second device to purchase a good over a communications 
network linking the first and second devices, the first party having information of a personal 
or private nature specific to the fu^t party or the first device, the method providing payment 
to the second party while securing said information of the first party with respect to the 
second party, comprising the steps of: 

the first and second parties commimicating over the network using respective devices; 

altering information from the first device directed to the second device to prevent the 
second party fi-om determining said information of the first party; 

providing for approval or disapproval by at least a third party of the purchase of the 
good by the first party firom the second party based on financial information relating to the 
first party accessible by tiie third party, and if the purchase is approved, providing for 
payment to the second party while securing said information of the first party with respect to 
the second party; 

providing at least certam communications between the first and the second parties to a 
third device and collecting said data at the third device while securing said information with 
respect to the second party; and 
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providing a database with the collected data which is not accessible by the second 
device or the third party . 

221. A system for providing a database of a first party's transactions using a first 
device with a second party using a second device to purchase a good over a communications 
network linking the first and second devices, the first party having information of a personal 
or private nature specific to the first party or the first device, the system also providing 
payment to the second party while securing said information of the first party with respect to 



the second party, comprising: 

proxy software associated with first device or a proxy device or both altering 
information from the first device directed to the second device to prevent the second party 
from determining said information of the first party; 

a third device coupled to the network providing for approval or disapproval by at least 
a third party of the purchase of the good by the first party from the second party based on 
financial information relating to the first party accessible by the third party, and if the 
purchase is approved, providing for payment to the second party while securing said 
information of the first party with respect to the second party; 

means for receiving at least certain communications between the first and the second 
devices and means for collecting data while securing said information with respect to the 
second party; and 

means providing a database with the collected data which is not accessible by the 
second device or the third party. 
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222. A method for a first party using a first device to order a good from a second 
party using a second device over a communications network linking tlie first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for a delivery address to which the good can 
be delivered while securing said information of the first party with respect to the second 
party, comprising tiie steps of: 

the first and second parties communicating over the network using respective devices; 

using a proxy device altering information from the first device directed to the second 
device to prevent the second party from determining said information of the first party; and 

usmg a proxy device providing for approval or disapproval of the purchase of the 
good by the first party from the second party based on financial information relating to the 
first party, and if the purchase is approved, providing for payment to the second party while 
securing said information of the first party with respect to the second party; and 

allowing more than one fu^t party having unique said information to use the same 
first device and carrying out the altering step and the approval or disapproval and payment 
steps for purchases by each first party using the same first device while securing the unique 
information of each first party. 

223. The method of claim 222 wherein one of the first parties using the same first 
device has an account with a third party, and wherem the step of allowing more than one firat 
party to use the same first device comprises providing a subaccount within the first party 
account for each other first party using the same first device. 



117 



BNSDOCia <WO_01 08066*1 IA> 



wo 01/008066 




PCTAJSOO/19888 



224. The method of clmm 223 wherein each first party is identified by different 
secret information, and including the step of the requiring a first party to provide secret . 
information specific to that first party to the proxy device before allowing a transaction to 
complete. 

225. A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the method providing for a delivery address to which the good can 
be delivered while securing said information of the first party with respect to the second 
party, comprising: 

a proxy device altering information from the fu"st device directed to the second device 
to prevent the second party firom determining said information of the first party; 

the . proxy device providing for approval or disapproval of the purchase of the good by 
the first party firom the second party based on financial information relating to the first party, 
and if the purchase is approved, providing for payment to the second party while securing 
said information of the first party with respect to the second party and allowing more than 
one first party having unique said information to use the sanie first device and carrying out 
the altering step and the approval or disapproval and payment steps for purchases by each 
first party using the same first device while securing the unique information of each first 
party. 

226. The system of claim 225 wherein one of the first parties using the same first 
device has an account with a third party and each other first party using the same first device 
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h9s a subaccount within the first party account, and wherein each first party is identified by 
different secret information, the proxy device requiring verification of secret information 
from a first party specific to that first party before allowing a transaction to complete. 

227. A method for a first party using a first device to order a good fi-om a second 
party usmg a second device over a communications network linking the first and second 
devices, the first party havmg information of a personal or private nature specific to the first 
party or the first device, the method providing for delivery of the good and for return of a 
delivered good, if authorized, while securing said information of the first party with respect 
to the second party, comprising the steps of: 

the first and second parties communicating over the network using respective devices; 

providing information from the first device directed to the second device for 
communicating with the second device or to order a good while securing said information of 
the first party; 

providing a delivery address to the second party to which the good is to be delivered, 
the delivery address not enabling the second party to determine said information of the first 
party; 

providing for delivery of the good to the delivery address; and 
where authorized, providing for return of the good from the delivery address or 
another address while securing said information fi-om the second party. 

228. The method of claim 227 wherein the step of providing information from the 

first device directed to the second device while securing said information comprises 
providing proxy identifying information specific to the first party or the first device from 
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which the second party can not determine said information. 

229- The method of claim 227 wherein the step of providing information from the 
first device directed to the second device while securing said information comprises the step 
of altering information from the first device directed to the second device. 

230- The method of claim 229 wherein the step of the first and second parties 
communicating with each other over the network comprises the first party using a first 
computer and the second party using a second computer. 

23 1 . The method of claim 230 wherein the step of altering information from the 
first device comprises altering information from the first computer using proxy software 
associated with the first computer or a proxy computer, or both. 

232. The method of claim 230 wherein tibe step of providing the delivery address 
comprises using the proxy software to provide the delivery address. 

233. The method of claim 230 wherein the good is a physical good and the delivery 
address is the address of a physical facility, and wherein the step of providing for delivery of 
the good to the delivery address includes the second party providing for physical shipment of 
the good to the physical facility. 

234. Themethodof claim 233 including the step ofmaking the good available at 

the physical facility for pick up by or on behalf of the first party in a manner which does not 
requke said information of the first party to be revealed at the physical facility. 

235. The method of claim 234 including the step of returning the good from the 
physical facility to a delivery address designated by the second party while not enabling the 
second party to deteniiine said information of the first party. 
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236. The method of claim 234 including the step of providing a physical address 
designated by the first party to the physical facility but not to the second party. 

237. The method of claim 236 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

238. The method of claim 237 including the steps of returning the good to the 
physical facility arid from there to a delivery address designated by the second party while 
not enabling the second party to determine said information of the first party. 

239. The method of claim 230 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, the step of 
providing for delivery of the good to the delivery address including the second party 
providing for electronic transmission of the file to the proxy computer. 

240. The method of claim 239 including the step of returning the good from the 
electronic address of the proxy computer to an electronic address designated by the second 
party, or alternatively destroying the file, while not enabling the second party to determine 
said information of the first party. 

241 . The method of claim 239 including the step of the proxy computer transmitting 
the file to an electronic address of the first party which is available to the proxy computer but 
not to the second party. 

242. The method of claim 24 1 including the steps of returning the good to the 
electronic address of the proxy computer and from there to an electronic address designated 
by the second party, or alternatively destroying the file, whUe not enabling the second party 
to determine said information of the first party. 
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243» The method of clam 228 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address associated with the proxy identifying 
information of the first device, the step of providing for delivery of the good to the delivery 
address including the second party providing for electronic transmission of the file to the 
electronic address of the first device, 

244. . The method of claim 227 includihg the step, of prpyiding for approval or 
disapproval of the purchase of the good by the first party from the second party based on 
fmancial information relating to the first party, and if the purchase is approved, providing for 
payment to the second party while securing said information of the first party with respect to 
the second party. 

245. The method of claim 244 the good is a physical good and the delivery address 
is the address of a physical facility, and wherein the step of providing for delivery of the 
good to the delivery address includes the second party providing for physical shipment of the 
good to the physical facility. 

246. The method of claim 245 including the step of making the good available at 
the physical facility for pick up by or on behalf of the first party in a manner which does not 
require said information of the first party to be revealed at the physical facility. 

247. The method of claim 246 including the step of returning the good firom the 
physical facility to a delivery address designated by the second party and crediting the first 
party for the return while not enabling the second party to determine said information of the 
first party. 
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248. The method of claim 246 including the step of providing a physical address 
designated by the first party to the physical facility but not to the second party. 

249. The method of claim 248 including the step of providing for shipment of the 
good from the physical facility to the physical address. 

250. The method of claim 249 including the steps of returning the good to the , 
physical facility and from there to a delivery address designated by the second party and 
crediting the first party for the return while not enabling the second party to determine said 
information of the first party. 

251. The method of claim 244 wherein the good is an electronically transmittable 
file and the delivery address is an electronic address of a proxy computer, the step of 
providing for delivery of the good to the delivery address including the second party 
providing for electronic transmission of the file to the proxy computer. 

252. The method of claim 251 including the step of returning the good from the 
electronic address of the proxy computer to an elecfronic address designated by the second 
party, or alternatively desfroying the file, while not enabling the secoiid party to determine 
said information of the first party. 

253. The method of claim 251 includingthe step of the proxy, computer fransmitting 
the file to an elecfronic address of the first party which is available to the proxy computer but 
not to the second party. 

254. The method of claim 253 including the steps of returning the good to the 
elecfronic address of the proxy computer and from there to an elecfronic address designated 
by the second party, or alternatively desfroying the file, and crediting the first party for the 
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return while not enabling the second party to determine said information of the first party. 

255- A system for a first party using a first device to order a good from a second 
party using a second device over a communications network linking the first and second 
devices, the first party having information of a personal or private nature specific to the first 
party or the first device, the system providing for a delivery address to which the good can be 
delivered while securing said information of the first party with respect to the second party, 
comprising: 

a proxy device altering information from the first device directed to the second device 
to prevent the second party from determining said information of the first party; and 

the proxy device providing a delivery address to the second party to which the good is 
to be delivered, the delivery address not enabling the second party to determine said 
information of the first party. 

means for providing for delivery of the good to the deliviery address; and 

where authorized, means for providing for retum of the good from the delivery 
address or another address while securing said information from the second party. 

256. The method of claim 1 or 22 including the steps of providing for physical 
delivery of a physical good to the delivery address and providing for tracking of the good 
during delivery. 

257. The system of claim 1 12 or 127 including means for providing for physical 
delivery of a physical good to the delivery address and means for providing for tracking of 
the good during delivery. 
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258. The method of claim 227 including the step of providing for tracking of the 
good during delivery, 

259. The method of claim 227 or 258 including the step of providing for tracking of 
the good during return. 
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